From 89db601cfde64fa74755b6f5365e93ce273e577c Mon Sep 17 00:00:00 2001 From: Dhruvil Joshi <156029746+dhruvilj1@users.noreply.github.com> Date: Tue, 9 Apr 2024 18:25:27 -0400 Subject: [PATCH] docs: update-rewards-for-disclosures. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10770 Co-authored-by: Rob Dominguez <24390149+robertjdominguez@users.noreply.github.com> GitOrigin-RevId: 73d7ff33ca66d3e57b391acbd0d506784249f354 --- docs/docs/policies/security-disclosure.mdx | 22 +++++++++++++++------- yarn.lock | 4 ++++ 2 files changed, 19 insertions(+), 7 deletions(-) create mode 100644 yarn.lock diff --git a/docs/docs/policies/security-disclosure.mdx b/docs/docs/policies/security-disclosure.mdx index 8878092b36f..b13f4d5ba44 100644 --- a/docs/docs/policies/security-disclosure.mdx +++ b/docs/docs/policies/security-disclosure.mdx @@ -28,14 +28,22 @@ emails about security announcements. We’re extremely grateful for security researchers and users who report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the Hasura team. -To report a security issue, please email us at with details, if possible attaching relevant -information. The more details we have, the quicker will we be able to fix potential vulnerabilities. +To report a security issue, please email us at with the vulnerability details, and attach the +relevant information including screenshots/videos. The more details we have, the quicker will we be able to fix any +potential vulnerabilities. -We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our -discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities -which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, -destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, -stop immediately and report the issue. +Hasura does not provide monetary reward for vulnerability disclosures however, at our sole discretion, we may make +exceptions to this policy for exceptional contributions. + +You may be eligible for a reward if it requires a severe code/configuration change from our side. The rewards can be +both monetary or swag. + +Please reference our guidance at the bottom of the page for the types of vulnerabilities that are in and out-of-scope. + +Do not use social engineering techniques and make a good faith effort to avoid any privacy violations, destruction of +data, and interruption or degradation of our service. + +If you should accidentally do any of these things, please stop immediately and report the issue. ### When should I report a vulnerability? diff --git a/yarn.lock b/yarn.lock new file mode 100644 index 00000000000..fb57ccd13af --- /dev/null +++ b/yarn.lock @@ -0,0 +1,4 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + +