Security Policy =============== Last updated: 2023-09-28 Signature: https://felixbrezo.com/res/security-policy.txt.asc Services in Scope ----------------- Any services used by me: - *.felixbrezo.com This may also include information leakages related to my personal accounts such as: - https://twitter.com/febrezo - https://github.com/febrezo - https://mastodon.social/@febrezo - https://linkedin.com/in/felixbrezo Qualifying Vulnerabilities -------------------------- Simple: anything not previously reported. If this was the case, appropiate evidences will be done. The purpose of this security possible is simple and humble: if you found something here I simply would like to thank you for your time and effort. Reporting Bugs -------------- Such I'll let you credit your efforts I'm a fan of a coordinated vulnerability disclosure (you know, "responsible disclosure"). Let me some time to fix it first. Some notes about the reporting process: 1. Use the email provided including the subject specified in the "security.txt" file since I have email rules to prioritise this information. Language preferences are limited to English, Spanish and Catalan… For now. 2. Use the specified subject and try to be clear about the results specifying the What, the How, the Impact and, if possible the recommendations. Please, note that if you found something wrong you will know more than me about the fix so don't assume that complex things are obvious… 3. Please, give me up to 24 hours to acknowledge the reception of the notification. I will be reaching you probably sooner, but I prefer to be conservative about my expectations. 4. I will be reaching you again in 72 hours with the approach to fix the issue. I will propose you a coordinated vulnerability disclosure in the terms described below. Although it will probably not be the case, each of my notifications will be appropiatedly signed just in case you find it useful to show it to others. In any case the hash of the case response will be added to the Hall of Fame in any case. A brief description will be added together with the date. Note that under NO circumstances personal information or insights that lead to additional security risks SHOULD be shared. Rewards ------- Each vulnerability will be assesed separatedly. I'll be using an approach considering two dimensions following Google's approach for rewards (more info https://bughunters.google.com/about/rules/6625378258649088/google-and-alphabet-vulnerability-reward-program-vrp-rules): - Impact. Defined by Google as "The impact assessment is based on the attack’s potential for causing privacy violations, financial loss, and other user harm, as well as the user-base reached". Each accepted vulnerability will be rated as "High" (3), "Medium" or "Low" (1). - Probability. Defined by Google as "The probability assessment takes into account the technical skill set needed to conduct the attack, the potential motivators of such an attack, and the likelihood of the vulnerability being discovered by an attacker". Again, each accepted vulnerability will be rated as "High" (3), "Medium" or "Low" (1). The values assigned will be appropiatedly described. These numbers will then be multiplied to obtain a vulnerability score for your report and will imply different accumulative benefits: - 1. A mention in the HoF. - 2. A mention in my social networks at Twitter and/or Mastodon. - 3. A Twitter and/or Mastodon thread explaining your findings. - 4. A Twitter Space with me myself to informally discuss the findings and laugh a bit about my stupidity. We are here to learn! - 6. Up to 50 USD paid in XMR depending on the impact. - 9. Up to 300 USD paid in XMR depending on the impact. Serious vulnerabilities would be analysed separatedly. If, by any circumstance, the vulnerability reported was not still registered in the hall of fame but was submitted by two people at the same time, the first person will be credited with the highest bounty in case of doubts while the other would simply be credited as a mention in the hall of fame even when the idea is that both researchers are treated equally. In any case, each decision will be publicly discussed for transparency.