-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1d9271c
commit 304e7e6
Showing
1 changed file
with
17 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,55 +1,27 @@ | ||
| --- | ||
| layout: article | ||
| title: Ribose CVE policy | ||
| revision_date: 2023-11-15 | ||
| revision_date_template: "Last revised on: {{ revision_date | date: '%b %d, %Y' }}" | ||
| permalink: /cve-policy/ | ||
| hero_include: index-page-hero.html | ||
| --- | ||
|
|
||
| == Ribose CVE policy | ||
| == Reporting a Vulnerability | ||
|
|
||
| === Report A Vulnerability | ||
| If you have discovered a security vulnerability, | ||
| please report it to us by using one of the following channels: | ||
|
|
||
| If you have discovered a security vulnerability, please report it to us by using our security vulnerability reporting form which you can find below. We believe in responsible disclosure and kindly ask to you to allow us a period of time to investigate and patch the vulnerability before you publish details. Verifying and testing of the patch can take from several hours to several days where we perform extensive testing to guarantee the stability and operation of our service. | ||
| * by submitting the GitHub Security Advisory form for the respective GitHub project, | ||
| - _e.g._ https://github.com/rnpgp/rnp/security/advisories/new[^] | ||
| * or by emailing [email protected] with the following details: | ||
| - project name, | ||
| - description of the issue, | ||
| - steps taken to reproduce the issue, | ||
| - affected versions, | ||
| - mitigations for the issue, if known. | ||
|
|
||
| We actively work together with security researchers and we also participate in the bug bounty program of https://bugcrowd.com[Bugcrowd]. We will always respond to security reports: the security of our users and their data are of greatest importance to us. | ||
| We believe in responsible disclosure and kindly ask to you to allow us a period of time to investigate and patch the vulnerability before you publish details. | ||
|
|
||
| Please read the following ** Responsible Security Disclosure program** description before you begin with your security testing: | ||
|
|
||
| === Responsible Security Disclosure Program | ||
|
|
||
| To be considered, submitting vulnerabilities must adhere to the following rules: | ||
|
|
||
| * We need to be able to verify the reported vulnerability, and the report itself needs to be provided with as much information as possible such as what browser and platform used. It is greatly appreciated if you include a video; | ||
| * Distributed Denial-of-Service (DDoS) attacks and capacity testing are not allowed; | ||
| * Automated scanners are not allowed due to the high amount of false positives generated; | ||
| * Your testing should not negatively impact another user's Ribose experience. For example, do not send messages to other Ribose users containing cross-site scripting (XSS) without their consent; | ||
| * You must be the first researcher to report the issue, the earliest sent report is considered the first report; | ||
| * The vulnerability needs to be an actual bug. Suggestions and ideas for improvements in our security are important to us, these however do not qualify as a security vulnerability. | ||
|
|
||
| Examples of potential valid issues: | ||
|
|
||
| * Authentication flaws; | ||
| * Cross-site scripting (XSS); | ||
| * Cross-site request forgery (CSRF/XSRF); | ||
| * Mixed-content scripts; | ||
| * Server-side code execution; | ||
| * SQL injection; | ||
| * Directory traversal; | ||
| * Descriptive error messages (e.g. stack traces, application or server errors). | ||
|
|
||
| Examples of invalid issues: | ||
|
|
||
| * reCAPTCHA; | ||
| * Output which is copy pasted from automated scanners without an accompanying proof of concept; | ||
| * Information leaks such as IP addresses; | ||
| * Login page brute force or account lockout not enforced; | ||
| * Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled); | ||
| * Clickjacking and issues only exploitable through clickjacking; | ||
| * CSRF on forms that are available to anonymous users (e.g. the contact form); | ||
| * Logout Cross-Site Request Forgery (logout CSRF). | ||
|
|
||
| Our security team has the final say in whether a report qualifies as a security vulnerability or a suggestion. | ||
|
|
||
| Vulnerabilities can be reported for any Ribose subdomain: `*.ribose.com`. | ||
| However, security vulnerabilities in third-party websites or services operating a ribose.com subdomain are explicitly excluded from the Ribose responsible disclosure program. | ||
|
|
||
| Finally, if your report is accepted as a security vulnerability, you will be rewarded with a **swag kit**. | ||
| NOTE: We may have to contact you via separate channels | ||
| in order to verify the report. |