├── .gitignore
├── assets
    ├── images
    │   ├── icon.png
    │   └── st-logo.png
    └── css
    │   └── styles.css
├── _layouts
    ├── post.html
    └── default.html
├── .well-known
    └── security.txt
├── _includes
    └── advisory-list.html
├── .security.txt
├── advisories.md
├── 404.html
├── CONTRIBUTING.md
├── hof.md
├── _posts
    └── 2017-07-22-cve-2017-0914.md 
├── report.md
├── Gemfile
├── LICENSE
├── _config.yml
├── Gemfile.lock
├── README.md
└── index.md


/.gitignore:
--------------------------------------------------------------------------------
1 | _site
2 | .sass-cache
3 | .jekyll-metadata
4 | 


--------------------------------------------------------------------------------
/assets/images/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EdOverflow/security-template/HEAD/assets/images/icon.png


--------------------------------------------------------------------------------
/assets/images/st-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/EdOverflow/security-template/HEAD/assets/images/st-logo.png


--------------------------------------------------------------------------------
/_layouts/post.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | archive: true
4 | ---
5 | 
6 | <h1>{{ page.title }}</h1>
7 | 
8 | {{ content }}


--------------------------------------------------------------------------------
/.well-known/security.txt:
--------------------------------------------------------------------------------
1 | # This is a template security.txt file.
2 | # You can generate your own here: https://securitytxt.org/#generate
3 | 


--------------------------------------------------------------------------------
/_includes/advisory-list.html:
--------------------------------------------------------------------------------
1 | <ul>
2 |   {% for post in site.posts %}
3 |     <li>
4 |       <a href="{{ post.url }}">{{ post.title }}</a>
5 |     </li>
6 |   {% endfor %}
7 | </ul>


--------------------------------------------------------------------------------
/.security.txt:
--------------------------------------------------------------------------------
1 | # If you would like to report a security issue
2 | # you may report it to me on HackerOne.
3 | Contact: https://hackerone.com/ed
4 | Encryption: https://keybase.pub/edoverflow/pgp_key.asc
5 | Acknowledgements: https://hackerone.com/ed/thanks
6 | 


--------------------------------------------------------------------------------
/advisories.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | title: Security Advisories
 4 | permalink: /advisories/
 5 | ---
 6 | 
 7 | # Security Advisories
 8 | 
 9 | The following advisories have been issued in response to vulnerabilities:
10 | 
11 | * responsibly disclosed by external researchers;
12 | * identified as part of a sanctioned code review or penetration test;
13 | * discovered internally by a member of the {{ site.company_name }} Security Team.
14 | 
15 | ## Vulnerabilities
16 | 
17 | {% include advisory-list.html %}


--------------------------------------------------------------------------------
/404.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | 
 5 | <style type="text/css" media="screen">
 6 |   .container {
 7 |     margin: 10px auto;
 8 |     max-width: 600px;
 9 |     text-align: center;
10 |   }
11 |   h1 {
12 |     margin: 30px 0;
13 |     font-size: 4em;
14 |     line-height: 1;
15 |     letter-spacing: -1px;
16 |   }
17 | </style>
18 | 
19 | <div class="container">
20 |   <h1>404</h1>
21 | 
22 |   <p><strong>Page not found :(</strong></p>
23 |   <p>The requested page could not be found.</p>
24 | </div>
25 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | Contributions from the public are welcome.
 4 | 
 5 | ### Using the issue tracker 💡
 6 | 
 7 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/security-template.svg?style=flat-square)](https://github.com/EdOverflow/security-template/issues)
 8 | 
 9 | ### Issues and labels 🏷
10 | 
11 | The bug tracker utilizes several labels to help organize and identify issues.
12 | 
13 | ### Guidelines for bug reports 🐛
14 | 
15 | Use the GitHub issue search — check if the issue has already been reported.
16 | 


--------------------------------------------------------------------------------
/hof.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | title: Hall of Fame
 4 | permalink: /hof/
 5 | ---
 6 | 
 7 | # Hall of Fame
 8 | 
 9 | If you are the first researcher to report a confirmed security vulnerability, we will list your details below (if desired). You must comply with our Security Policy to be considered for our Hall of Fame. We would like to thank the following security researchers for helping us secure our platform.
10 | 
11 | * First researcher name &mdash; [https://example.com](https://example.com)
12 | * Second researcher name &mdash; [https://example.com](https://example.com)
13 | * Third researcher name &mdash; [https://example.com](https://example.com)


--------------------------------------------------------------------------------
/_posts/2017-07-22-cve-2017-0914.md :
--------------------------------------------------------------------------------
1 | ---
2 | title:  "CVE-2017-0914"
3 | date:   2017-07-22
4 | description: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
5 | ---
6 | 
7 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.


--------------------------------------------------------------------------------
/report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | title: Report a Security Issue
 4 | permalink: /report/
 5 | ---
 6 | 
 7 | {% if site.hackerone_url %}
 8 | 	<script type="text/javascript">
 9 | 		window.location = "{{ site.hackerone_url }}";
10 | 	</script>
11 | {% elsif site.bugcrowd_url %}
12 | 	<script type="text/javascript">
13 | 		window.location = "{{ site.bugcrowd_url }}";
14 | 	</script>
15 | {% else %}
16 | # Report a security issue
17 | 
18 | ### Our reporting procedure
19 | 
20 | To be specified by the {{ site.company_name }} Security Team.
21 | 
22 | <!--<iframe src="https://bugcrowd.com/{{ bugcrowd_id }}/external/report" style="width: 100%; height: 2480px; border: medium none; overflow: hidden;" scrolling="no" id="iFrameResizer0"></iframe>-->
23 | {% endif %}


--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
 1 | source "https://rubygems.org"
 2 | 
 3 | # Hello! This is where you manage which Jekyll version is used to run.
 4 | # When you want to use a different version, change it below, save the
 5 | # file and run `bundle install`. Run Jekyll with `bundle exec`, like so:
 6 | #
 7 | #     bundle exec jekyll serve
 8 | #
 9 | # This will help ensure the proper Jekyll version is running.
10 | # Happy Jekylling!
11 | gem "jekyll", "~> 4.0.1"
12 | 
13 | # This is the default theme for new Jekyll sites. You may change this to anything you like.
14 | gem "minima", "~> 2.5", ">= 2.5.1"
15 | 
16 | # If you want to use GitHub Pages, remove the "gem "jekyll"" above and
17 | # uncomment the line below. To upgrade, run `bundle update github-pages`.
18 | # gem "github-pages", group: :jekyll_plugins
19 | 
20 | # If you have any plugins, put them here!
21 | group :jekyll_plugins do
22 |   gem "jekyll-feed", "~> 0.15", ">= 0.15.0"
23 | end
24 | 
25 | # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
26 | gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
27 | 
28 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 EdOverflow
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
 1 | company_name: Example Company
 2 | email: security@example.com
 3 | description: >-
 4 |   This is a default description for SecurityTemplate.
 5 | baseurl: "" # the subpath of your site, e.g. /blog
 6 | url: "" # the base hostname & protocol for your site, e.g. https://example.com
 7 | bugcrowd_id: # https://docs.bugcrowd.com/v1.0/docs/embedded-submission-form
 8 | 
 9 | # Bug bounty platforms
10 | # If you have an external report form, 
11 | # /report will redirect to that URL.
12 | # hackerone_url: https://hackerone.com/YOUR_PAGE
13 | # bugcrowd_url: https://bugcrowd.com/YOUR_PAGE
14 | 
15 | # Build settings
16 | markdown: kramdown
17 | plugins:
18 |   - jekyll-feed
19 | 
20 | include:
21 | - .well-known
22 | 
23 | permalink:       /:year/:title/
24 | 
25 | defaults:
26 |     -
27 |         scope:
28 |             path: "" # empty string for all files
29 |             type: pages
30 |         values:
31 |             layout: default
32 |     -
33 |         scope:
34 |             path: "" # empty string for all files
35 |             type: posts
36 |         values:
37 |             layout: post
38 |     -
39 |         scope:
40 |             path: ""
41 |             type: drafts
42 |         values:
43 |             layout: post
44 | 


--------------------------------------------------------------------------------
/assets/css/styles.css:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * Copyright 2015 Google Inc. All Rights Reserved.
 3 |  *
 4 |  * Licensed under the Apache License, Version 2.0 (the "License");
 5 |  * you may not use this file except in compliance with the License.
 6 |  * You may obtain a copy of the License at
 7 |  *
 8 |  *      http://www.apache.org/licenses/LICENSE-2.0
 9 |  *
10 |  * Unless required by applicable law or agreed to in writing, software
11 |  * distributed under the License is distributed on an "AS IS" BASIS,
12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |  * See the License for the specific language governing permissions and
14 |  * limitations under the License.
15 |  */
16 | 
17 | .demo-ribbon {
18 |   width: 100%;
19 |   height: 40vh;
20 |   background-color: #3d6098;
21 |   flex-shrink: 0;
22 | }
23 | 
24 | .mdl-navigation__link {
25 |   color: #333 !important;
26 | }
27 | 
28 | .demo-main {
29 |   margin-top: -35vh;
30 |   flex-shrink: 0;
31 | }
32 | 
33 | .demo-header .mdl-layout__header-row {
34 |   padding-left: 40px;
35 | }
36 | 
37 | .demo-container {
38 |   max-width: 1600px;
39 |   width: calc(100% - 16px);
40 |   margin: 0 auto;
41 | }
42 | 
43 | .demo-content {
44 |   border-radius: 2px;
45 |   padding: 20px 56px;
46 |   margin-bottom: 80px;
47 | }
48 | 
49 | .demo-layout.is-small-screen .demo-content {
50 |   padding: 40px 28px;
51 | }
52 | 
53 | .demo-content h3 {
54 |   margin-top: 48px;
55 | }
56 | 
57 | .demo-footer {
58 |   padding-left: 40px;
59 | }
60 | 
61 | .demo-footer .mdl-mini-footer--link-list a {
62 |   font-size: 13px;
63 | }
64 | 
65 | table { 
66 |     border-spacing: 5px;
67 |     border-collapse: separate;
68 | }
69 | 
70 | td { 
71 |     padding: 5px;
72 | }
73 | 
74 | 


--------------------------------------------------------------------------------
/Gemfile.lock:
--------------------------------------------------------------------------------
 1 | GEM
 2 |   remote: https://rubygems.org/
 3 |   specs:
 4 |     addressable (2.7.0)
 5 |       public_suffix (>= 2.0.2, < 5.0)
 6 |     colorator (1.1.0)
 7 |     concurrent-ruby (1.1.6)
 8 |     em-websocket (0.5.1)
 9 |       eventmachine (>= 0.12.9)
10 |       http_parser.rb (~> 0.6.0)
11 |     eventmachine (1.2.7)
12 |     ffi (1.13.1)
13 |     forwardable-extended (2.6.0)
14 |     http_parser.rb (0.6.0)
15 |     i18n (1.8.5)
16 |       concurrent-ruby (~> 1.0)
17 |     jekyll (4.0.1)
18 |       addressable (~> 2.4)
19 |       colorator (~> 1.0)
20 |       em-websocket (~> 0.5)
21 |       i18n (>= 0.9.5, < 2)
22 |       jekyll-sass-converter (~> 2.0)
23 |       jekyll-watch (~> 2.0)
24 |       kramdown (~> 2.1)
25 |       kramdown-parser-gfm (~> 1.0)
26 |       liquid (~> 4.0)
27 |       mercenary (~> 0.3.3)
28 |       pathutil (~> 0.9)
29 |       rouge (~> 3.0)
30 |       safe_yaml (~> 1.0)
31 |       terminal-table (~> 1.8)
32 |     jekyll-feed (0.15.0)
33 |       jekyll (>= 3.7, < 5.0)
34 |     jekyll-sass-converter (2.1.0)
35 |       sassc (> 2.0.1, < 3.0)
36 |     jekyll-seo-tag (2.6.1)
37 |       jekyll (>= 3.3, < 5.0)
38 |     jekyll-watch (2.2.1)
39 |       listen (~> 3.0)
40 |     kramdown (2.3.1)
41 |       rexml
42 |     kramdown-parser-gfm (1.1.0)
43 |       kramdown (~> 2.0)
44 |     liquid (4.0.3)
45 |     listen (3.2.1)
46 |       rb-fsevent (~> 0.10, >= 0.10.3)
47 |       rb-inotify (~> 0.9, >= 0.9.10)
48 |     mercenary (0.3.6)
49 |     minima (2.5.1)
50 |       jekyll (>= 3.5, < 5.0)
51 |       jekyll-feed (~> 0.9)
52 |       jekyll-seo-tag (~> 2.1)
53 |     pathutil (0.16.2)
54 |       forwardable-extended (~> 2.6)
55 |     public_suffix (4.0.5)
56 |     rb-fsevent (0.10.4)
57 |     rb-inotify (0.10.1)
58 |       ffi (~> 1.0)
59 |     rexml (3.2.4)
60 |     rouge (3.21.0)
61 |     safe_yaml (1.0.5)
62 |     sassc (2.4.0)
63 |       ffi (~> 1.9)
64 |     terminal-table (1.8.0)
65 |       unicode-display_width (~> 1.1, >= 1.1.1)
66 |     unicode-display_width (1.7.0)
67 | 
68 | PLATFORMS
69 |   ruby
70 | 
71 | DEPENDENCIES
72 |   jekyll (~> 4.0.0)
73 |   jekyll-feed (~> 0.12, >= 0.12.0)
74 |   minima (~> 2.5, >= 2.5.1)
75 |   tzinfo-data
76 | 
77 | BUNDLED WITH
78 |    1.17.3
79 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | <div align="center">
 2 | <img align="center" src="https://user-images.githubusercontent.com/4115778/32569683-b5075996-c4b9-11e7-8a60-7412bcd7356b.png" height="200"></img>
 3 | </div>
 4 | <div align="center">
 5 | <br/>
 6 | </div>
 7 | 
 8 | <a href="https://www.buymeacoffee.com/edoverflow" target="_blank"><img src="https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png" alt="Buy Me A Coffee" style="height: auto !important;width: auto !important;" ></a>
 9 |   
10 | # Project
11 | 
12 | _SecurityTemplate_ is a static website template for security pages, powered by Jekyll. It's easy to get started. Clone this repo, edit the configuration files and content to your liking, and publish with [GitHub Pages](https://pages.github.com) or on your own server platform.
13 | 
14 | You can [set up a local environment](https://help.github.com/articles/setting-up-your-github-pages-site-locally-with-jekyll/) to test your _SecurityTemplate_ static site, and [push to GitHub](https://help.github.com/articles/using-jekyll-as-a-static-site-generator-with-github-pages/) if desired.
15 | 
16 | This project is a rapidly evolving work in progress. We value [contributions](https://github.com/EdOverflow/security-template/blob/master/CONTRIBUTING.md) from the public.
17 | 
18 | # Structure
19 | 
20 | The template directory structure is as follows:
21 | 
22 | ```
23 | .
24 | ├── 404.html # 404 page.
25 | ├── advisories.md # Security advisories list.
26 | ├── assets # Page assets.
27 | │   ├── css
28 | │   │   └── styles.css
29 | │   └── images
30 | │       └── icon.png
31 | ├── _config.yml # Config file with all your variables.
32 | ├── _drafts
33 | ├── Gemfile
34 | ├── Gemfile.lock
35 | ├── hof.md # Hall of fame page.
36 | ├── _includes
37 | │   └── advisory-list.html
38 | ├── index.md # Security policy.
39 | ├── _layouts
40 | │   ├── default.html
41 | │   └── post.html
42 | ├── LICENSE
43 | ├── _posts
44 | │   └── 2017-07-22-cve-2017-0914.md # Example security advisory.
45 | ├── README.md
46 | └── report.md
47 | ```
48 | 
49 | ![Example policy](https://user-images.githubusercontent.com/4115778/32572136-9d388d50-c4c1-11e7-879c-0de12c411949.png)
50 | 
51 | 
52 | ## `config.yml`
53 | 
54 | * `company_name` &mdash; replace this with your organization name
55 | * `email` &mdash; replace this with your security contact address
56 | * `bugcrowd_id` &mdash; replace this with your [Bugcrowd ID](https://docs.bugcrowd.com/v1.0/docs/embedded-submission-form), if applicable
57 | * `hackerone_url` and `bugcrowd_url` &mdash; the <b>/report</b> URL will redirect to one of these, if specified.
58 | 
59 | ## `index.md`
60 | 
61 | The index file is where your security policy lives. To learn more about writing good security policies, please refer to https://support.hackerone.com/hc/en-us/articles/205624665-How-do-we-write-a-good-policy-.
62 | 
63 | ## `advisories.md`
64 | 
65 | This is where you can list your security advisories. The list is updated every time you add a security advisory to the `_posts` folder.
66 | 
67 | ## `report.md`
68 | 
69 | This file should contain contact information for security researchers to use when reporting a security vulnerability. If a HackerOne or Bugcrowd URL is specified in `config.yml`, users will be redirected automatically. You can also use an embedded Bugcrowd submission form. Just uncomment the form, and add your Bugcrowd embed token under `bugcrowd_id` in `_config.yml`.
70 | 
71 | ## `hof.md`
72 | 
73 | This is your security acknowledgements page. List the details of security researchers that reported valid security issues (and wish to be listed publicly).
74 | 
75 | ## `.well-known/security.txt`
76 | 
77 | `security-template` contains a security.txt template file. _security.txt_ defines a standard to help organizations define the process for security researchers to safely disclose vulnerabilities via a simple text file. For more on this, please refer to https://securitytxt.org/.
78 | 
79 | # Contributing
80 | 
81 | We welcome contributions from the public.
82 | 
83 | ### Using the issue tracker 💡
84 | 
85 | The issue tracker is the preferred channel for bug reports and features requests.
86 | 
87 | ### Issues and labels 🏷
88 | 
89 | The bug tracker utilizes several labels to help organize and identify issues.
90 | 
91 | ### Guidelines for bug reports 🐛
92 | 
93 | Use the GitHub issue search — check if the issue has already been reported.
94 | 


--------------------------------------------------------------------------------
/_layouts/default.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 |   <head>
 4 |     <meta charset="utf-8">
 5 |     <meta http-equiv="X-UA-Compatible" content="IE=edge">
 6 |     <meta name="description" content="A static website template for security pages.">
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
 8 |     <title>{{ site.company_name }} Security</title>
 9 | 
10 |     <!-- Add to homescreen for Chrome on Android -->
11 |     <meta name="mobile-web-app-capable" content="yes">
12 |     <link rel="icon" sizes="192x192" href="{{ site.baseurl }}/assets/images/icon.png">
13 | 
14 |     <!-- Add to homescreen for Safari on iOS -->
15 |     <meta name="apple-mobile-web-app-capable" content="yes">
16 |     <meta name="apple-mobile-web-app-status-bar-style" content="black">
17 |     <meta name="apple-mobile-web-app-title" content="SecurityTemplate">
18 |     <link rel="apple-touch-icon-precomposed" href="{{ site.baseurl }}/assets/images/icon.png">
19 | 
20 |     <!-- Tile icon for Win8 (144x144 + tile color) -->
21 |     <meta name="msapplication-TileImage" content="images/touch/ms-touch-icon-144x144-precomposed.png">
22 |     <meta name="msapplication-TileColor" content="#3372DF">
23 | 
24 |     <link rel="shortcut icon" href="{{ site.baseurl }}/assets/images/icon.png">
25 | 
26 |     <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:regular,bold,italic,thin,light,bolditalic,black,medium&amp;lang=en">
27 |     <link rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons">
28 |      <link rel="stylesheet" href="https://code.getmdl.io/1.3.0/material.purple-pink.min.css" />
29 |     <link rel="stylesheet" href="{{ site.baseurl }}/assets/css/styles.css">
30 | 
31 |     <!-- Content Security Policy - Disabled by default -->
32 |     <!--<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' code.getmdl.io; style-src 'self' code.getmdl.io; img-src *; font-src *; upgrade-insecure-requests; reflected-xss block;">-->
33 |   </head>
34 |   <body>
35 |     <div class="demo-layout mdl-layout mdl-layout--fixed-header mdl-js-layout mdl-color--grey-100">
36 |       <header class="demo-header mdl-layout__header mdl-layout__header--scroll mdl-color--grey-100 mdl-color-text--grey-800">
37 |         <div class="mdl-layout__header-row">
38 |           <span class="mdl-layout-title"><a style="color: #3d6098; text-decoration:none;" href="{{ site.baseurl }}/"><b>{{ site.company_name }}</b> Security</a></span>
39 |           <div class="mdl-layout-spacer"></div>
40 |  		<nav class="mdl-navigation">
41 |         <a class="mdl-navigation__link" href="{{ site.baseurl }}/">Policy</a>
42 |         {% if site.hackerone_url %}
43 |           <a class="mdl-navigation__link" href="{{ site.hackerone_url }}">Report Issue</a>
44 |         {% elsif site.bugcrowd_url %}
45 |           <a class="mdl-navigation__link" href="{{ site.bugcrowd_url }}">Report Issue</a>
46 |         {% else %}
47 |           <a class="mdl-navigation__link" href="{{ site.baseurl }}/report">Report Issue</a>
48 |         {% endif %}
49 |         <a class="mdl-navigation__link" href="{{ site.baseurl }}/hof">Hall of Fame</a>
50 |         <a class="mdl-navigation__link" href="{{ site.baseurl }}/advisories">Advisories</a>
51 |       </nav>
52 |         </div>
53 |       </header>
54 |       <div class="demo-ribbon"></div>
55 | 
56 |       <main class="demo-main mdl-layout__content" style="flex: 1 0 auto;">
57 |         <div class="demo-container mdl-grid">
58 |           <div class="mdl-cell mdl-cell--2-col mdl-cell--hide-tablet mdl-cell--hide-phone"></div>
59 |           <div class="demo-content mdl-color--white mdl-shadow--4dp content mdl-color-text--grey-800 mdl-cell mdl-cell--8-col">
60 |             {{ content }}
61 |           </div>
62 |         </div>
63 |         
64 |       <footer class="demo-footer mdl-mini-footer">
65 |           <div class="mdl-mini-footer--left-section">
66 |             <ul class="mdl-mini-footer--link-list">
67 |               <li><a href="{{ site.baseurl }}/">{{ site.company_name }} Security Policy</a>, built with <a href="https://github.com/EdOverflow/security-template">Security Template</a></li>
68 |             </ul>
69 |           </div>
70 |         </footer>
71 | 
72 | 
73 |       </main>
74 | 
75 |      
76 |     </div>
77 |   </body>
78 |   <script defer src="https://code.getmdl.io/1.3.0/material.min.js"></script>
79 | </html>
80 | 


--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | 
 5 | # Policy
 6 | 
 7 | Thank you for helping us keep {{ site.company_name }} users safe! We ask that all researchers:
 8 | 
 9 | *   Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
10 | *   Perform research only within the scope set out below;
11 | *   Use the identified communication channels to report vulnerability information to us;
12 | *   Report vulnerabilities as soon as you discover them;
13 | *   Keep information about any vulnerabilities you’ve discovered confidential between yourself and {{ site.company_name }} until we’ve had 90 days to resolve the issue.
14 | 
15 | If you follow these guidelines when reporting an issue to us, we commit to:
16 | 
17 | *   Not pursue or support any legal action related to your research;
18 | *   Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
19 | 
20 | ## Scope
21 | ### In-scope
22 | 
23 | * [https://example.com](https://example.com)
24 | * [https://example.co](https://example.co)
25 | 
26 | ### Out of Scope
27 | 
28 | In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
29 | 
30 | * Findings from physical testing such as office access (e.g. open doors, tailgating).
31 | * Findings derived primarily from social engineering (e.g. phishing, vishing).
32 | * Findings from applications or systems not listed in the <i>Scope</i> section.
33 | * Vulnerability reports with video only PoCs.
34 | * Reports that state that software is out of date or vulnerable without a proof of concept.
35 | * Highly speculative reports about theoretical damage. Be concrete.
36 | * Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
37 | * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
38 | * Recently disclosed zero-day vulnerabilities. We need time to patch our systems just like everyone else - please give us 30 days before reporting these types of issues.
39 | * Issues in third-party services should be reported to the respective team. Please take a look at the "Third-Party Services" section for more information.
40 | 
41 | The following issue types are excluded from scope:
42 | 
43 | * Network-level Denial of Service (DoS/DDoS) vulnerabilities.
44 | * Low severity issues that can be detected with tools such as [Hardenize](https://www.hardenize.com/) and [Security Headers](https://securityheaders.io/).
45 | * XSS issues that affect only [outdated browsers](http://outdatedbrowser.com/).
46 | * Content injection issues.
47 | * Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
48 | * Missing cookie flags on non-security-sensitive cookies.
49 | * UI and UX bugs (including spelling mistakes).
50 | * [CSV and Excel injection](https://www.contextis.com/blog/comma-separated-vulnerabilities).
51 | * [401 page injection](https://security.stackexchange.com/a/135534).
52 | * Stack traces that disclose information.
53 | * Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
54 | * Open ports without an accompanying proof-of-concept demonstrating vulnerability.
55 | * Banner grabbing issues (figuring out what web server we use, etc.).
56 | 
57 | ## Reporting
58 | 
59 | If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us via our [report form]({{ site.baseurl }}/report). Please provide detailed reports with reproducible steps. If a report is not detailed enough to reproduce the issue, it will not be eligible for a bounty.
60 | 
61 | ## Rewards
62 | 
63 | If you are the first to report an issue, and we make a code or configuration change based on the issue, we will award you:
64 | 
65 | | Severity | CVSS       | Award |
66 | |:---------|:----------:|:------|
67 | | Critical | 9.0 - 10.0 | $500  |
68 | | High     | 7.0 - 8.9  | $100  |
69 | | Medium   | 4.0 - 6.9  | $50   |
70 | | Low      | 0.1 - 3.9  | $10   |
71 | | None     | 0.0 - 0.0  | N/A   |
72 | 
73 | ## Third-Party Services
74 | 
75 | {{ site.company_name }} uses the following third-party services. If you discover an issue in one of these services, please  report it to the appropriate security team.
76 | 
77 | <!-- Insert list of third-party services here. -->
78 | 


--------------------------------------------------------------------------------