mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-15 09:22:43 +03:00
docs: update security disclosures page with bug bounty information
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/7215 Co-authored-by: Marion Schleifer <5722022+marionschleifer@users.noreply.github.com> GitOrigin-RevId: 00da79b7fd2b315ab8f361eb82136856fb8d2f55
This commit is contained in:
parent
df5c946174
commit
08a1165a7b
@ -30,6 +30,8 @@ reports are thoroughly investigated by the Hasura team.
|
||||
To report a security issue, please email us at <security@hasura.io> with details, if possible attaching relevant
|
||||
information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
|
||||
|
||||
We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, stop immediately and report the issue.
|
||||
|
||||
### When should I report a vulnerability?
|
||||
|
||||
- You think you have discovered a potential security vulnerability in the Hasura GraphQL engine or related components.
|
||||
@ -67,3 +69,44 @@ disclosure to typically be in the order of 7 days.
|
||||
|
||||
In any case, the Hasura team will do their best to identify and fix any vulnerabilities as soon as possible, as well as
|
||||
communicate to the submitter about the progress and set a disclosure date.
|
||||
|
||||
## Vulnerability categories we encourage be reported
|
||||
|
||||
We are keen on hearing about the vulnerabilities encompassing the following categories:
|
||||
|
||||
- SQL Injection scenarios.
|
||||
- Server side injection cases.
|
||||
- Access control related issues.
|
||||
- Authentication/Authorization related issues.
|
||||
- Remote Code Execution.
|
||||
- Cross Site Scripting (XSS).
|
||||
- Cross Site Request Forgery (CSRF) attacks when an operation can be performed on behalf of the user.
|
||||
- Data Exposure.
|
||||
- Any unique issues that do not fall into explicit categories.
|
||||
|
||||
## Out of scope vulnerabilities
|
||||
|
||||
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
|
||||
|
||||
- Clickjacking on pages with no sensitive actions.
|
||||
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
|
||||
- Attacks requiring MITM or physical access to a user's device.
|
||||
- Previously known vulnerable libraries without a working proof of concept.
|
||||
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
|
||||
- Missing best practices in SSL/TLS configuration.
|
||||
- Any activity that could lead to the disruption of our service (DoS).
|
||||
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
|
||||
- Rate limiting or bruteforce issues on non-authentication endpoints.
|
||||
- Missing best practices in Content Security Policy.
|
||||
- Missing HttpOnly or Secure flags on cookies.
|
||||
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
|
||||
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
|
||||
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
|
||||
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
|
||||
- Tabnabbing.
|
||||
- Open redirect - unless an additional security impact can be demonstrated.
|
||||
- Issues that require unlikely user interaction.
|
||||
- Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.
|
||||
- Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).
|
||||
- Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to successfully attack Hasura's in scope applications.
|
||||
- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state changing actions. Exploits just demonstrating a service header being responded would not meet the threshold.
|
||||
|
Loading…
Reference in New Issue
Block a user