Security and disclosure policy

This page is about our security and disclosure policy. Have a look at our privacy policy, if you are looking for privacy-related topics.

Security contact

For us, security and privacy take top priority

✅ No logging by default – ✅ Minimal data processing

We decided to choose the best protection for your personal data: We simply do not collect it. You don’t have to trust us, because you keep your data. By default, we do not log anything, and we concluded a data processing agreement according to Article 28 GDPR with our server provider (see our privacy policy). We do not track you, and we do not set any cookies.

✅ Single-purpose server – ✅ No databases

For security, we provide our website using a dedicated virtual server. There aren’t any other public services on this server (e.g., no database server, no mail server, no messaging server).

✅ Security monitoring – ✅ Strong authentication – ✅ Defined processes

We permanently monitor our server to check for modified files and login attempts. Two-factor authentication is needed to access our server. The core of our server is a hardened Linux installation. Hardening means that we removed unnecessary packages and applied strict configuration at the kernel level. Finally, we implemented processes to ensure the installation of security updates within a narrow time frame and quick reaction to reported potential security vulnerabilities.

✅ 100% static content – ✅ No CMS, PHP, or JavaScript – ✅ No 3rd party content

Our website consists of 100% static content. There is no content management system (CMS) installed, and there is no dynamically-served content like PHP or JavaScript. We do not embed any third-party content, and all links to third-party websites are visually marked. If you navigate to other websites from the InfoSec Handbook, the new browser tab runs in a separate process in your web browser, and we strip any Referrer information.

✅ 100% transparency – ✅ Available on archive.org – ✅ No hidden changes

You find all changes on InfoSec Handbook on codeberg.orgexternal link. Our commits are cryptographically signed. When we update our content, we add a small changelog to the bottom of the post, listing the most significant changes. Moreover, our website is listed on archive.orgexternal link. This way, you can go back in history and check our changes.


Disclosure policy

Did you find a potential security vulnerability? You find our security-related contact details above. We won’t take legal action against you as a penetration tester if you observe the law, and we won’t publish your identity by default.

Besides, we run a bug bounty program to ensure the highest level of security and privacy. Everyone is eligible to participate in the program as described by this policy.

Disclosure process

We are big fans of “coordinated disclosure.” Due to this, we stay with the following process:

1. You start to test for security vulnerabilities

First of all, thanks for helping us to improve the security of the InfoSec Handbook. Please look at the scope and observe the testing requirements. If you have any further questions, please do not hesitate to contact us.

2. You send us a private report

You privately report a potential security vulnerability. Use the communication channels mentioned above. Use our OpenPGP key, and provide your OpenPGP key!

You may submit your report anonymously; however, we can’t get in touch with you in this case.

3. We check your report and you get our feedback

We check your initial report. Depending on our investigation, we either:

  • fix the vulnerability and get in touch with you regarding your bug bounty and coordinated disclosure, or
  • get in touch with you to request additional information, or
  • inform you about the ineligibility of your report.

Expect our initial feedback within 5 days.

4. We wait for your feedback

After sending our feedback to you, we wait up to 30 days for your response.

5. We publish information about your report

The final step of the coordinated disclosure process can be:

  • We agree on coordinated disclosure of the fixed vulnerability. Upon request, we add your name to our Acknowledgments section.
  • We publish information regarding an invalid vulnerability to inform future testers.

Scope and possible bug bounties

The disclosure policy on this page is valid for the following domain names (and underlying servers):

Domain nameEligible for bug bounties
https://infosec-handbook.eu/yes
All other domains operated by usno

The following bounties are only a guideline. We include the actual bug bounty in our responses. If all testing requirements were met, we offer the following bounties:

Type of vulnerabilityBug bounty up to
Security-relevant configuration weaknessAcknowledgment
Information leakage (except personal data)€75
Code injection (e.g., HTML, JS)€100
Unauthorized access (user-level)€100
Remote Code Execution (RCE)€150
Leakage of personal data€175
Unauthorized access (root-level)€175

Out-of-scope are vulnerabilities of software that we don’t use, vulnerabilities that require physical access to our servers, and recently disclosed 0-day vulnerabilities. If you report out-of-scope vulnerabilities, you may still be eligible to be listed below.

Bug bounties can only be paid via bank wire transfer (EU countries only) or Stellar Lumens (XLM). There may exist additional legal regulations and requirements regarding payments and bug bounties in your country.

Testing requirements and code of conduct

Please observe our testing requirements and code of conduct:

1. Check whether you are the first reporter

You must be the first reporter of a potential vulnerability. Please go to our issue trackerexternal link BEFORE reporting anything, and check whether somebody already reported the potential vulnerability.

2. Check the scope

The reported vulnerability and the domain name must be in scope.

3. Provide a report

Please include the following in your report:

  1. A brief description of the security vulnerability (Which software is affected? What is the issue?)
  2. A brief description of risks originating from the security vulnerability (What are risks for our website?)
  3. A step-by-step guide that allows us to reproduce the issue

If necessary, add screenshots or proof of concept code.

4. Do not act unprofessionally

  • Do not randomly attack our server with automated tools. Flooding our servers with millions of requests or executing random attacks neither is something a professional penetration tester does nor something that we want to see.
  • Do not leak, manipulate, or destroy any data on our servers.
  • Do not publish anything regarding a confirmed and unpatched vulnerability without our prior permission.
  • Do not use abusive language, act criminally, or impersonate us.
  • Do not demand a bug bounty, or try to press us for money.

Acknowledgments

We would like to thank the following researchers and testers:

DateNameVulnerabilityBounty
2019-08-28UndisclosedUnintended metadata in some files€25

Changelog

We updated this page on May 28, 2020. For transparency, we provide a complete changelog of this page on codeberg.orgexternal link.