From 05d02fa64ffe257a45d2eb78b530bd4a7ff08b15 Mon Sep 17 00:00:00 2001 From: EdOverflow Date: Sat, 12 Aug 2017 22:58:52 -0400 Subject: [PATCH] Create a security.txt. --- www/security.txt | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 www/security.txt diff --git a/www/security.txt b/www/security.txt new file mode 100644 index 0000000000..8b16b7870f --- /dev/null +++ b/www/security.txt @@ -0,0 +1,44 @@ +# In scope targets +In-scope: gratipay.com +In-scope: grtp.co + +# Our GitHub projects +In-scope: inside.gratipay.com +In-scope: github.com/gratipay/bot +In-scope: github.com/gratipay/environment.py +In-scope: github.com/gratipay/postgres.py + +# Out of scope vulnerabilities +Out-of-scope-vuln: Clickjacking +Out-of-scope-vuln: Physical testing such as office access +Out-of-scope-vuln: Social engineering +Out-of-scope-vuln: UI and UX bugs and spelling mistakes +Out-of-scope-vuln: Network level Denial of Service (DoS/DDoS) vulnerabilities +Out-of-scope-vuln: Low severity issues that can be detected with tools such as Hardenize and SecurityHeaders.io +Out-of-scope-vuln: Reports that state that software is out of date/vulnerable without a proof of concept +Out-of-scope-vuln: Host header issues without an accompanying proof-of-concept demonstrating vulnerability +Out-of-scope-vuln: XSS issues that affect only outdated browsers +Out-of-scope-vuln: Stack traces that disclose information +Out-of-scope-vuln: Highly speculative reports about theoretical damage +Out-of-scope-vuln: Reports from automated web vulnerability scanners that have not been validated +Out-of-scope-vuln: Content injection issues +Out-of-scope-vuln: Cross-site Request Forgery (CSRF) with minimal security implications +Out-of-scope-vuln: Missing cookie flags on non-security-sensitive cookies +Out-of-scope-vuln: Banner grabbing issues +Out-of-scope-vuln: Open ports without an accompanying proof-of-concept demonstrating vulnerability +Out-of-scope-vuln: Recently disclosed 0day vulnerabilities +Out-of-scope-vuln: Issues in third-party services + +# Rewards +Reward: Critical-500 +Reward: High-100 +Reward: Medium-swag +Reward: Low-hof +Reward: None-hof + +# If you have any questions concerning our program, feel free to send us an email at security@gratipay.com. +# Please do not send reports by email and make sure not to disclose sensitive information in the email. +Contact: security@gratipay.com + +# Our HackerOne program +Platform: https://hackerone.com/gratipay \ No newline at end of file