hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-14 17:02:49 +03:00
Code Issues Projects Releases Wiki Activity

docs: update security disclosures page with bug bounty information

Browse Source 
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/7215
Co-authored-by: Marion Schleifer <5722022+marionschleifer@users.noreply.github.com>
GitOrigin-RevId: 00da79b7fd2b315ab8f361eb82136856fb8d2f55
This commit is contained in:
timothy-hasura 2022-12-10 01:34:44 -08:00 committed by hasura-bot
parent df5c946174
commit 08a1165a7b
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/docs/policies/security-disclosure.mdx
View File

@ -30,6 +30,8 @@ reports are thoroughly investigated by the Hasura team.
To report a security issue, please email us at <security@hasura.io> with details, if possible attaching relevant
information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, stop immediately and report the issue.
### When should I report a vulnerability?
- You think you have discovered a potential security vulnerability in the Hasura GraphQL engine or related components.
@ -67,3 +69,44 @@ disclosure to typically be in the order of 7 days.
In any case, the Hasura team will do their best to identify and fix any vulnerabilities as soon as possible, as well as
communicate to the submitter about the progress and set a disclosure date.
## Vulnerability categories we encourage be reported
We are keen on hearing about the vulnerabilities encompassing the following categories:
- SQL Injection scenarios.
- Server side injection cases.
- Access control related issues.
- Authentication/Authorization related issues.
- Remote Code Execution.
- Cross Site Scripting (XSS).
- Cross Site Request Forgery (CSRF) attacks when an operation can be performed on behalf of the user.
- Data Exposure.
- Any unique issues that do not fall into explicit categories.
## Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working proof of concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
- Tabnabbing.
- Open redirect - unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction.
- Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.
- Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).
- Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to successfully attack Hasura's in scope applications.
- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state changing actions. Exploits just demonstrating a service header being responded would not meet the threshold.