Vulnerability Disclosure Policy

Version: 1.0

Date Effective: 2019-05-19

I welcome and value vulnerability disclosures from responsible security researchers, and I recognize the importance of the work done by the security community. I have developed this policy to encourage and support responsible disclosure and the crucial work done by ethical hackers.

Scope

The following are in-scope:

• My personal website at https://u8nwxd.github.io
• Any of projects under my GitHub account. Note that only repositories owned by that account (U8NWXD) are in-scope. The fact that I contribute to a repository does not make it in-scope for this policy. Vulnerabilities discovered in those projects should be reported to the project owners.

Everything not listed as in-scope above is out-of-scope and not covered under this policy. Note that for the sake of clarity, the following are explicitly out-of-scope:

• Any physical exploits or research that involves physical access to my person or property.
• Any research involving physical tresspass.
• Any social engineering attack. Do not send any phishing emails, for example.

Requirements

Note that except for requirements that are explicitly restricted to intentional acts, both intentional and accidental violations of these requirements will constitute a violation of this policy.

• You may not disclose any vulnerabilities without my explicit written permission. Note that “disclosure” here includes both public and private disclosure.
• You may not disrupt any services nor impair others’ ability to use any services.
• You may not modify or delete any data that I host, with the exception that you may do so temporarily only to demonstrate the vulnerability.
• Neither this policy nor your ability to access data constitutes authorization for you to access that data. If you discover a vulnerability that provides access to data that I did not intend to be accessible to you, you may not access the data except to the extent that is strictly necessary to demonstrate the presence of a vulnerability.
• If you encounter any data that must be protected by law (e.g. protected health information), you must not access the data and report the vulnerability immediately.
• You must disclose to me, via the process described in this policy, any vulnerabilities you discover.
• As much as possible, you must interact only with accounts you own or with accounts whose owners have given you explicit, informed permission for your activities.
• You must not at any time, not even when disclosing the vulnerability or after disclosure, release any data you encounter that I did not intend to be accessible. Note that “release” here includes both public and private release.
• You must comply with all applicable laws, including those of the United States of America. See the rest of this policy for safe harbor provisions.
• You must never threaten or infringe upon anyone’s rights, safety, property, or person.
• You must only work on those systems or programs listed as in-scope by this policy.

Safe Harbor

I consider research conducted in accordance with this policy to be:

• Conducted in good faith;
• Authorized for the purposes of the Computer Fraud and Abuse Act (CFAA) and any any similar state laws;
• Exempt from the Digital Millenium Copyright Act (DMCA); and
• Lawful to the extent that the research was necessary to discover and report the vulnerability.

I will not pursue legal action against anyone based on activities that are authorized by and compliant with this policy. However, note that these safe-harbor provisions only apply to me. If in the course of your research you illegally access a third party’s system, for example, that third party may still take legal action against you, and I might not defend you.

Note that the above safe harbor provisions only apply to cyber-security research conducted in compliance with this policy.

Submission Details

These details are non-binding and are only intended to give you an idea of how I respond to vulnerability disclosures.

• Contact me using encrypted email to report the vulnerability. Details and my public key are available from my security page. Using an insecure communication method to transmit details of a vulnerability may constitute an unauthorized disclosure. Please include a description of the vulnerability and detailed steps to reproduce it. Reports should be clearly written in English.
• I will review your disclosure and respond within 10 business days.
• I may ask you for more details to help me remediate the vulnerability.
• I will remediate the vulnerability.
• I will most likely authorize you to publicly disclose the vulnerability, disclose it myself, and publicly credit you with the disclosure (if you so choose). I do not forsee a situation in which I would prevent disclosure entirely, but such a situation may arise.

Note that I do not offer bug bounties, but I am happy to credit you for your work!

Acknowledgements

This policy was inspired by the following resources:

• BugCrowd’s Policies
• HackerOne’s Guide
• Disclosure Template by NTIA
• Framework from the US DOJ