|
| 1 | +--- |
| 2 | +layout: page |
| 3 | +title: Vulnerability Disclosure Policy |
| 4 | +permalink: /security/ |
| 5 | +hidden: true |
| 6 | +--- |
| 7 | + |
| 8 | +# Commitment |
| 9 | + |
| 10 | +The organization is just me, I am committed to security, and not becoming a comic book villain by suing you guys. |
| 11 | +I'm told I should have one of these policies, and it should include "Safe Harbor", "Important Guidelines", "Scope", and "Process". |
| 12 | +So, here goes. |
| 13 | + |
| 14 | +# Safe Harbor |
| 15 | + |
| 16 | +If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. |
| 17 | +We will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research. |
| 18 | +Should legal action be initiated by a third party scumbag against you for activities that were conducted in accordance with this policy, we will make this authorization known. |
| 19 | + |
| 20 | +# Important Guidelines |
| 21 | + |
| 22 | +Please notify us as soon as possible after a security vulnerability is found. |
| 23 | +Proof of concept exploits SHALL have minimal impact that is sufficient to demonstrate the existence of a vulnerability. |
| 24 | +Partial PoCs that do not breach all layers of defense are still appreciated. |
| 25 | +We all know what a segfault at 0x4141414141414141 means, you don't have to spend a weekend getting the ROP chain to work. |
| 26 | + |
| 27 | +# Scope |
| 28 | + |
| 29 | +Any software hosted on [my github](https://github.com/stribika) is in scope. |
| 30 | +Any service hosted under stribik.technology, strib.tech, or their subdomains is in scope. |
| 31 | + |
| 32 | +Social engineering is not in scope. |
| 33 | +This is because "we" are just me. |
| 34 | +Social engineering is simply the act of lying to me, and "we" don't appreciate that kind of thing. |
| 35 | + |
| 36 | +For similar reasons, physical access is not in scope either. |
| 37 | + |
| 38 | +Denial of service that relies on merely saturating the pipe is not in scope. |
| 39 | +It's not interesting and there is no possible way I could fix that. |
| 40 | +All I can do is move the site behind Cloudflare for a while, and if you keep trying, you could literally break the Internet. |
| 41 | +Low traffic denial of service is in scope but do you MUST NOT keep it going for an unreasonably long time. |
| 42 | + |
| 43 | +# Process |
| 44 | + |
| 45 | +The reporting process is very simple. |
| 46 | +You SHALL send an email to [security@stribik.technology](mailto:security@stribik.technology), with enough information to identify and, if applicable, reproduce the issue. |
| 47 | +You SHOULD encrypt said email with the [public key](/assets/about/security.gpg) provided here, using S/MIME. |
| 48 | +If you do encrypt it, you MUST provide a reasonable way to obtain your public key. |
| 49 | + |
| 50 | +We SHALL reply within 24 hours. |
| 51 | +In this reply, we MAY ask you to wait an additional 24 hours before public disclosure. |
| 52 | +After this time of at most 48 hours, you MAY disclose the vulnerability publicly. |
| 53 | +After a further 24 hours (72 in total), you SHOULD disclose the vulnerablity publicly or we will. |
| 54 | + |
| 55 | +You MAY request your name to be added to a special acknowledgements page. |
| 56 | +If no such page exists, one will be created for you. |
| 57 | +The name MUST be a non-empty unicode string no longer than 1 KiB. |
| 58 | +It is an arbitrary value, it does not have to be your actual name. |
| 59 | +The default is "Anonymous". |
0 commit comments