At Silverfin, we consider the security of our systems a top priority but no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our systems.
Please do the following:
- Email your findings to email@example.com;
- Encrypt your findings using our PGP key;
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables;
- Do not reveal the problem to others until it has been resolved;
- Do not use attacks on physical security, social engineering, distributed denial of service, spam, applications of third parties, and anything in the Out-of-scope Vulnerability list;
- Provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation;
- Delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability;
- If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date;
If you have followed the instructions above, we will not take any legal action against you in regard to the report;
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
- We will keep you informed of the progress towards resolving the problem;
In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise);
- As a token of our gratitude for your assistance, we may offer a reward for every report of a security problem that was not yet known to us. The reward will be determined at Silverfin’s sole discretion based on the severity of the vulnerability and the quality of the report;
- If you report several issues that are duplicated in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward will be granted.
The following issues are outside the scope of this Vulnerability Disclosure Policy:
- Our policies on the presence/absence of SPF/DMARC records.
- Password, email, and account policies, such as email id verification, reset link expiration, password complexity.
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
- Attacks requiring physical access to a user’s device.
- Missing security headers which do not lead directly to a vulnerability.
- Missing best practices (we require evidence of a security vulnerability).
- Self-XSS (we require evidence on how the XSS can be used in an attack).
- Host header injections unless you can show how they can lead to stealing data.
- Use of a known-vulnerable library (without evidence of exploitability).
- Issues relating to buggy non-Silverfin software.
- Reports from automated tools or scans.
- Reports of spam (i.e., any report involving the ability to send emails without rate-limits).
- Attacks that require the attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
- Vulnerabilities affecting users of outdated browsers or platforms.
- Social engineering of Silverfin employees or contractors.
- Any physical attempts against Silverfin property.
- Presence of autocomplete attribute on web forms.
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner).
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope without evidence of exploitability.
- IP/Port Scanning via LogMeOnce services unless you are able to hit private IPs or Silverfin servers.
- Mobile app.
- Hyperlink injection or any link injection in emails we send.
- Creating multiple accounts using the same email.
- Being able to upload files with the wrong extension in chooser.
We reserve the right to change the content of this Vulnerability Disclosure Policy at any time or to terminate the Vulnerability Disclosure Policy.
This text is a derivative work of "Responsible Disclosure" by Floor Terra, used under a Creative Commons Attribution licence 3.0.