Responsible Disclosure Policy for Security Vulnerabilities
Smokescreen works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.
- Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the highest priority in our issue trackers. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.
- Notify us on [email protected]. you may encrypt them to the following GPG key. If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data. Any security report that contains confidential information must be sent encrypted to our GPG public key.
- Provide us with as much technical and background information on the vulnerability as you can. This includes proof-of-concept screenshots, PoC code, affected assets, and any mitigation recommendations that you may have identified.
- The scope of our security program extends only to *.smokescreen.io or to the latest build of our products. If you’re unsure, please clarify if an asset is in scope prior to commencing your research. This gives our team a heads-up and can save your time from testing assets that are outside of our security program.
- Attacks that are expressly out of scope include:
- Denial of Service
- Social-engineering / phishing Smokescreen staff
- Physical security testing of Smokescreen premises or data centers
- Attacks that destroy data / infrastructure, or put our customers, or the public at large at risk
- Attacks that misrepresent Smokescreen to other parties
- Smokescreen will acknowledge receipt of a security report by the end of the following business day, and will then work with you to remediate any vulnerabilities. We publicly acknowledge security researchers who follow this responsible disclosure policy, and may include them in our private bounty program which has additional scope, access, and rewards.
- In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on [email protected]creen.io beforehand. It’s always better to seek clarification first.
- Smokescreen will not entertain any bug reports where additional details or disclosure are contingent on commercial reward. We would consider this a (rather unethical) commercial penetration test solicitation, not good faith security research.
- Smokescreen typically only considers “medium” or higher severity issues. Here is an indicative list of issues that are not considered:
- Issues found through automated testing
- “Scanner output” or scanner-generated reports
- Presence of banner or version information
- OPTIONS / TRACE HTTP method enabled
- XMLRPC presence / issues
- Publicly-released bugs within 3 days of their disclosure
- “Advisory” or “Informational” reports such as user enumeration
- Vulnerabilities requiring physical access to a system
- Denial of Service attacks
- Missing CAPTCHAs
- Default webserver pages
- Brute-force attacks
- Spam or social engineering techniques, including:
- SPF, DKIM, DMARC issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content Spoofing
- Issues relating to password policy
- Full-path disclosure
- Version number information disclosure
- Clickjacking / frame-redressing
- CSRF-able actions that do not require authentication (or a session) to exploit
- Issues on 3rd-party subdomains / domains of services we use. Please report those issues to the appropriate service.
- Reports related to the following security-related headers:
- Strict Transport Security (HSTS)
- XSS mitigation headers (
- Content Security Policy (CSP) settings (excluding
nosniff in an exploitable scenario)