This is a vulnerability disclosure program for all of my personal projects and code that I publish.
I will investigate legitimate reports and make every effort to quickly resolve any vulnerability. Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of my services.
I will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. I consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. I will not bring a DMCA claim against you for circumventing the technological measures I have used to protect the applications in scope of this program.
If legal action is initiated by a third party against you and you have complied with this security policy, I will take steps to make it known that your actions were conducted in compliance with this policy.
It is also important to note, I will not take legal action against you simply for providing me with a proof of concept of the security vulnerability. Please follow the guidelines listed in the Proof of concepts section below to ensure that your proof of concept is detailed enough to demonstrate the issue and still follows the guideline listed above.
If you have any questions or concerns about about my disclosure policy, please do not hesitate to contact me via email (security [a t] swen [d o t] nl).
You tell me about a vulnerability in one of my projects. I will acknowledge your report within 2 business days. I will work with you to understand the issue and make sure I have all the necessary details. I will then work to fix the issue as quickly as possible.
I will make a best effort to meet the following expectations for hackers participating in this program:
Time to first response: 2 business days or less. Time to triage: 3 business days or less.
All projects listed in the “Canonical” section of my security.txt file are in scope. If it doesn’t, then that project does not belong to me. I run services at my systems with software that I didn’t wrote. If you find a vulnerability in one of these services, please report it to the respective team. If you find a vulnerability in the way I implemented the service, please report it to me.
$ curl http://s.swen.nl/.well-known/security.txt|grep ^CanonicalThe following test types are excluded from the scope:
The following issue types are excluded from scope:
| Description | Reason |
|---|---|
| Network-level Denial of Service (DoS/DDoS) vulnerabilities. | I do not want you to disrupt any of my services and to be honest with you if I want to take down a service I will always find a way. |
| Banner grabbing issues (figuring out what web server I use, etc.). | I will happily share what web servers I am running. |
| Issue type | When to report the issue |
|---|---|
| XSS | For XSS, a simple alert(document.domain) should
suffice. Bonus points for alert('🐸'). |
| RCE | Please only execute harmless code. Simply printing something or evaluating an expression should be enough to demonstrate the issue. |
| SQLi | Report it as soon as you have a SQL error that indicates SQL injection or you are able to disclose the SQL server’s version number. |
| Unvalidated redirect | Set the redirect endpoint to http://example.com. |
| Information disclosure | If your report contains sensitive data, please use my PGP key to encrypt it. |
| CSRF | Either attach a file to demonstrate the issue or paste the code in a code block in your report. |
| SSRF | Do not go playing around on any internal networks. Leave the fun bit to me. If you feel the necessity to retrieve an internal file, please only request the internal security.txt file. |
| LFI | The same applies here — please do not go against the guideline listed in the Disclosure policy section. There should be a security.txt file located in the root directory. Being able to retrieve that file should be enough to demonstrate the issue. |
$ curl https://keybase.io/aswen/pgp_keys.asc?fingerprint=e3de2eb9ff38593f08b905a42d339ccd3e75be36 | gpg --importThe term “severity” is frequently used interchangeably with “impact” or “priority”. This section defines my terminology in order to prevent any potential confusion. I use the Oxford Dictionaries’ definition [2] of “severity” and Information Technology Infrastructure Library’s definitions [3] of the two latter terms.
Severity
The fact or condition of being severe.
Impact
A measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority.
Priority
A category used to identify the relative importance of an incident, problem or change. Priority is based on impact and urgency, and is used to identify required times for actions to be taken.
Whenever I triage a report, a CVSS v3.0 Base Score metric [4] is set which evaluates the technical severity of the reported issue and allows me to prioritise the fix. Once a patch has been submitted and verified, I will then evaluate the total CVSS score by including the Environmental Score. [5]
I am not currently offering financial rewards as my software is free and open-source, but if we ever meet in person drinks are on me. Please note that this section may change in the future.
Thank you for helping me keep my projects safe!