Responsible Disclosure Policy

What did you do on the long weekend? I wrote a responsible disclosure policy! I self-host all of my network and Internet services, other than a few backup DNS services. It’s a lot of fun and a fantastic learning experience, but also a risk; I take ultimate responsibility for my data and the security of the services I run.

Despite the time and care I’ve put into my network someone will inevitably find vulnerabilities. If that someone is you, the hacker reading my email right now, then I write this policy for you :-)

You might have accidentally or intentionally discovered an issue. Either way, please let me know so that I can take action as soon as possible. That said, this is not an invitation to scan, probe or test the security of my systems. If you would like test the security of my systems please contact me first.

My ask of you

Please report any vulnerabilities you find to me. I ask you to please:

  • Send your findings to me in an encrypted email. You’ll find my PGP key here.
  • Provide enough information for me to understand and replicate the issue, so that I can fix it as soon as possible. For example, please share:
    • The IP address,
    • any URL,
    • the name of the service you were able to exploit,
    • the details for how you exploited the service,
    • Any special configuration or requirements to reproduce the issue.
  • If you’d like to discuss the vulnerability I’d welcome that.
  • Please respect the scope outlined below.

My Promise to you

I’ll take your report seriously and respect the time you’ve spent helping me improve the services I run.

  • I will respond to you as soon as I read your report, and I’ll take action as soon as possible.
  • I might need more information, which I’ll ask you for.
  • I’ll treat your identity and report confidentially. I won’t share your personal information without your consent, except to the police and judiciary if I’m legally required to do so.
  • As I remediate the issue I’ll keep you up-to-date on my progress if you’d like me to.
  • I’ll include your name as the person who discovered the vulnerability in any material I publish, but only if you’d like me to.
  • I won’t bring legal charges against you, so long as you act in the spirit of the Coordinated Vulnerability Disclosure model.

Scope

I ask you to please respect the following during your engagement with me and the services I run.

In scope

  • My IP ranges. I appreciate you won’t know what these are, and I don’t want to publish them all here. The majority of my services are exposed on the IP address serving this web-page. Please reach out to me to confirm the others.
  • The services I run and expose to the public Internet.
  • The network behind my public IP addresses, supporting my Internet facing services.

Out of scope

  • Do not touch my upstream Internet provider and any virtual hosting providers I use, including Aussie Broadband Limited, Amazon Web-services, Azure Web-services and Hurricane Electric.
  • Don’t perform any physical security or social engineering tests on me, my friends, family or work.
  • Do not brute force or perform denial of service attacks.
  • Don’t change any data or install malware or back-doors.
  • Refrain from sharing the vulnerability with others before I’ve had a chance to fix it
  • Do not remove data from my systems, other than the minimum required to document the vulnerability.

No rewards

I’m not offering any monetary compensation for reporting vulnerabilities. Importantly, this Policy is not intended to encourage hacking attempts with respect to the network and services I maintain. Instead, it is to provide guidance for the responsible disclosure of vulnerabilities you’ve identified that concern the network and services I maintain.

Contact

You can message me by mailing my first name at squarepolka dot com, and you can encrypt your email using my PGP Key. You can also talk to me on IRC.