├── .gitignore ├── assets ├── images │ ├── icon.png │ └── st-logo.png └── css │ └── styles.css ├── _layouts ├── post.html └── default.html ├── .well-known └── security.txt ├── _includes └── advisory-list.html ├── .security.txt ├── advisories.md ├── 404.html ├── CONTRIBUTING.md ├── hof.md ├── _posts └── 2017-07-22-cve-2017-0914.md ├── report.md ├── Gemfile ├── LICENSE ├── _config.yml ├── Gemfile.lock ├── index.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | _site 2 | .sass-cache 3 | .jekyll-metadata 4 | -------------------------------------------------------------------------------- /assets/images/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jhaddix/security-template/HEAD/assets/images/icon.png -------------------------------------------------------------------------------- /assets/images/st-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jhaddix/security-template/HEAD/assets/images/st-logo.png -------------------------------------------------------------------------------- /_layouts/post.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | archive: true 4 | --- 5 | 6 |

{{ page.title }}

7 | 8 | {{ content }} -------------------------------------------------------------------------------- /.well-known/security.txt: -------------------------------------------------------------------------------- 1 | # This is a template security.txt file. 2 | # You can generate your own here: https://securitytxt.org/#generate 3 | -------------------------------------------------------------------------------- /_includes/advisory-list.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.security.txt: -------------------------------------------------------------------------------- 1 | # If you would like to report a security issue 2 | # you may report it to me on HackerOne. 3 | Contact: https://hackerone.com/ed 4 | Encryption: https://keybase.pub/edoverflow/pgp_key.asc 5 | Acknowledgements: https://hackerone.com/ed/thanks 6 | -------------------------------------------------------------------------------- /advisories.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Security Advisories 4 | permalink: /advisories/ 5 | --- 6 | 7 | # Security Advisories 8 | 9 | The following advisories have been issued in response to vulnerabilities: 10 | 11 | * responsibly disclosed by external researchers; 12 | * identified as part of a sanctioned code review or penetration test; 13 | * discovered internally by a member of the {{ site.company_name }} Security Team. 14 | 15 | ## Vulnerabilities 16 | 17 | {% include advisory-list.html %} -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | --- 4 | 5 | 18 | 19 |
20 |

404

21 | 22 |

Page not found :(

23 |

The requested page could not be found.

24 |
25 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Contributions from the public are welcome. 4 | 5 | ### Using the issue tracker 💡 6 | 7 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/security-template.svg?style=flat-square)](https://github.com/EdOverflow/security-template/issues) 8 | 9 | ### Issues and labels 🏷 10 | 11 | The bug tracker utilizes several labels to help organize and identify issues. 12 | 13 | ### Guidelines for bug reports 🐛 14 | 15 | Use the GitHub issue search — check if the issue has already been reported. 16 | -------------------------------------------------------------------------------- /hof.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Hall of Fame 4 | permalink: /hof/ 5 | --- 6 | 7 | # Hall of Fame 8 | 9 | If you are the first researcher to report a confirmed security vulnerability, we will list your details below (if desired). You must comply with our Security Policy to be considered for our Hall of Fame. We would like to thank the following security researchers for helping us secure our platform. 10 | 11 | * First researcher name — [https://example.com](https://example.com) 12 | * Second researcher name — [https://example.com](https://example.com) 13 | * Third researcher name — [https://example.com](https://example.com) -------------------------------------------------------------------------------- /_posts/2017-07-22-cve-2017-0914.md : -------------------------------------------------------------------------------- 1 | --- 2 | title: "CVE-2017-0914" 3 | date: 2017-07-22 4 | description: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 5 | --- 6 | 7 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. -------------------------------------------------------------------------------- /report.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Report a Security Issue 4 | permalink: /report/ 5 | --- 6 | 7 | {% if site.hackerone_url %} 8 | 11 | {% elsif site.bugcrowd_url %} 12 | 15 | {% else %} 16 | # Report a security issue 17 | 18 | ### Our reporting procedure 19 | 20 | To be specified by the {{ site.company_name }} Security Team. 21 | 22 | 23 | {% endif %} -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source "https://rubygems.org" 2 | 3 | # Hello! This is where you manage which Jekyll version is used to run. 4 | # When you want to use a different version, change it below, save the 5 | # file and run `bundle install`. Run Jekyll with `bundle exec`, like so: 6 | # 7 | # bundle exec jekyll serve 8 | # 9 | # This will help ensure the proper Jekyll version is running. 10 | # Happy Jekylling! 11 | gem "jekyll", "~> 3.6.2" 12 | 13 | # This is the default theme for new Jekyll sites. You may change this to anything you like. 14 | gem "minima", "~> 2.1", ">= 2.1.1" 15 | 16 | # If you want to use GitHub Pages, remove the "gem "jekyll"" above and 17 | # uncomment the line below. To upgrade, run `bundle update github-pages`. 18 | # gem "github-pages", group: :jekyll_plugins 19 | 20 | # If you have any plugins, put them here! 21 | group :jekyll_plugins do 22 | gem "jekyll-feed", "~> 0.9", ">= 0.9.2" 23 | end 24 | 25 | # Windows does not include zoneinfo files, so bundle the tzinfo-data gem 26 | gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] 27 | 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 EdOverflow 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | company_name: Example Company 2 | email: security@example.com 3 | description: >- 4 | This is a default description for SecurityTemplate. 5 | baseurl: "" # the subpath of your site, e.g. /blog 6 | url: "" # the base hostname & protocol for your site, e.g. https://example.com 7 | bugcrowd_id: # https://docs.bugcrowd.com/v1.0/docs/embedded-submission-form 8 | 9 | # Bug bounty platforms 10 | # If you have an external report form, 11 | # /report will redirect to that URL. 12 | # hackerone_url: https://hackerone.com/YOUR_PAGE 13 | # bugcrowd_url: https://bugcrowd.com/YOUR_PAGE 14 | 15 | # Build settings 16 | markdown: kramdown 17 | plugins: 18 | - jekyll-feed 19 | 20 | include: 21 | - .well-known 22 | 23 | permalink: /:year/:title/ 24 | 25 | defaults: 26 | - 27 | scope: 28 | path: "" # empty string for all files 29 | type: pages 30 | values: 31 | layout: default 32 | - 33 | scope: 34 | path: "" # empty string for all files 35 | type: posts 36 | values: 37 | layout: post 38 | - 39 | scope: 40 | path: "" 41 | type: drafts 42 | values: 43 | layout: post 44 | -------------------------------------------------------------------------------- /assets/css/styles.css: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2015 Google Inc. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | .demo-ribbon { 18 | width: 100%; 19 | height: 40vh; 20 | background-color: #3d6098; 21 | flex-shrink: 0; 22 | } 23 | 24 | .mdl-navigation__link { 25 | color: #333 !important; 26 | } 27 | 28 | .demo-main { 29 | margin-top: -35vh; 30 | flex-shrink: 0; 31 | } 32 | 33 | .demo-header .mdl-layout__header-row { 34 | padding-left: 40px; 35 | } 36 | 37 | .demo-container { 38 | max-width: 1600px; 39 | width: calc(100% - 16px); 40 | margin: 0 auto; 41 | } 42 | 43 | .demo-content { 44 | border-radius: 2px; 45 | padding: 20px 56px; 46 | margin-bottom: 80px; 47 | } 48 | 49 | .demo-layout.is-small-screen .demo-content { 50 | padding: 40px 28px; 51 | } 52 | 53 | .demo-content h3 { 54 | margin-top: 48px; 55 | } 56 | 57 | .demo-footer { 58 | padding-left: 40px; 59 | } 60 | 61 | .demo-footer .mdl-mini-footer--link-list a { 62 | font-size: 13px; 63 | } 64 | 65 | table { 66 | border-spacing: 5px; 67 | border-collapse: separate; 68 | } 69 | 70 | td { 71 | padding: 5px; 72 | } 73 | 74 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GEM 2 | remote: https://rubygems.org/ 3 | specs: 4 | addressable (2.5.2) 5 | public_suffix (>= 2.0.2, < 4.0) 6 | colorator (1.1.0) 7 | ffi (1.9.25) 8 | forwardable-extended (2.6.0) 9 | jekyll (3.6.2) 10 | addressable (~> 2.4) 11 | colorator (~> 1.0) 12 | jekyll-sass-converter (~> 1.0) 13 | jekyll-watch (~> 1.1) 14 | kramdown (~> 1.14) 15 | liquid (~> 4.0) 16 | mercenary (~> 0.3.3) 17 | pathutil (~> 0.9) 18 | rouge (>= 1.7, < 3) 19 | safe_yaml (~> 1.0) 20 | jekyll-feed (0.10.0) 21 | jekyll (~> 3.3) 22 | jekyll-sass-converter (1.5.2) 23 | sass (~> 3.4) 24 | jekyll-seo-tag (2.5.0) 25 | jekyll (~> 3.3) 26 | jekyll-watch (1.5.1) 27 | listen (~> 3.0) 28 | kramdown (1.17.0) 29 | liquid (4.0.0) 30 | listen (3.1.5) 31 | rb-fsevent (~> 0.9, >= 0.9.4) 32 | rb-inotify (~> 0.9, >= 0.9.7) 33 | ruby_dep (~> 1.2) 34 | mercenary (0.3.6) 35 | minima (2.5.0) 36 | jekyll (~> 3.5) 37 | jekyll-feed (~> 0.9) 38 | jekyll-seo-tag (~> 2.1) 39 | pathutil (0.16.1) 40 | forwardable-extended (~> 2.6) 41 | public_suffix (3.0.2) 42 | rb-fsevent (0.10.3) 43 | rb-inotify (0.9.10) 44 | ffi (>= 0.5.0, < 2) 45 | rouge (2.2.1) 46 | ruby_dep (1.5.0) 47 | safe_yaml (1.0.4) 48 | sass (3.5.6) 49 | sass-listen (~> 4.0.0) 50 | sass-listen (4.0.0) 51 | rb-fsevent (~> 0.9, >= 0.9.4) 52 | rb-inotify (~> 0.9, >= 0.9.7) 53 | 54 | PLATFORMS 55 | ruby 56 | 57 | DEPENDENCIES 58 | jekyll (~> 3.6.2) 59 | jekyll-feed (~> 0.9, >= 0.9.2) 60 | minima (~> 2.1, >= 2.1.1) 61 | tzinfo-data 62 | 63 | BUNDLED WITH 64 | 1.16.1 65 | -------------------------------------------------------------------------------- /_layouts/default.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | {{ site.company_name }} Security 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 |
36 |
37 |
38 | {{ site.company_name }} Security 39 |
40 | 52 |
53 |
54 |
55 | 56 |
57 |
58 |
59 |
60 | {{ content }} 61 |
62 |
63 | 64 | 71 | 72 | 73 |
74 | 75 | 76 |
77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | --- 4 | 5 | # Policy 6 | 7 | Thank you for helping us keep {{ site.company_name }} users safe! We ask that all researchers: 8 | 9 | * Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing; 10 | * Perform research only within the scope set out below; 11 | * Use the identified communication channels to report vulnerability information to us; 12 | * Report vulnerabilities as soon as you discover them; 13 | * Keep information about any vulnerabilities you’ve discovered confidential between yourself and {{ site.company_name }} until we’ve had 90 days to resolve the issue. 14 | 15 | If you follow these guidelines when reporting an issue to us, we commit to: 16 | 17 | * Not pursue or support any legal action related to your research; 18 | * Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission). 19 | 20 | ## Scope 21 | ### In-scope 22 | 23 | * [https://example.com](https://example.com) 24 | * [https://example.co](https://example.co) 25 | 26 | ### Out of Scope 27 | 28 | In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope: 29 | 30 | * Findings from physical testing such as office access (e.g. open doors, tailgating). 31 | * Findings derived primarily from social engineering (e.g. phishing, vishing). 32 | * Findings from applications or systems not listed in the Scope section. 33 | * Vulnerability reports with video only PoCs. 34 | * Reports that state that software is out of date or vulnerable without a proof of concept. 35 | * Highly speculative reports about theoretical damage. Be concrete. 36 | * Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue. 37 | * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated. 38 | * Recently disclosed zero-day vulnerabilities. We need time to patch our systems just like everyone else - please give us 30 days before reporting these types of issues. 39 | * Issues in third-party services should be reported to the respective team. Please take a look at the "Third-Party Services" section for more information. 40 | 41 | The following issue types are excluded from scope: 42 | 43 | * Network-level Denial of Service (DoS/DDoS) vulnerabilities. 44 | * Low severity issues that can be detected with tools such as [Hardenize](https://www.hardenize.com/) and [Security Headers](https://securityheaders.io/). 45 | * XSS issues that affect only [outdated browsers](http://outdatedbrowser.com/). 46 | * Content injection issues. 47 | * Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.). 48 | * Missing cookie flags on non-security-sensitive cookies. 49 | * UI and UX bugs (including spelling mistakes). 50 | * [CSV and Excel injection](https://www.contextis.com/blog/comma-separated-vulnerabilities). 51 | * [401 page injection](https://security.stackexchange.com/a/135534). 52 | * Stack traces that disclose information. 53 | * Host header issues without an accompanying proof-of-concept demonstrating vulnerability. 54 | * Open ports without an accompanying proof-of-concept demonstrating vulnerability. 55 | * Banner grabbing issues (figuring out what web server we use, etc.). 56 | 57 | ## Reporting 58 | 59 | If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us via our [report form]({{ site.baseurl }}/report). Please provide detailed reports with reproducible steps. If a report is not detailed enough to reproduce the issue, it will not be eligible for a bounty. 60 | 61 | ## Rewards 62 | 63 | If you are the first to report an issue, and we make a code or configuration change based on the issue, we will award you: 64 | 65 | | Severity | CVSS | Award | 66 | |:---------|:----------:|:------| 67 | | Critical | 9.0 - 10.0 | $500 | 68 | | High | 7.0 - 8.9 | $100 | 69 | | Medium | 4.0 - 6.9 | $50 | 70 | | Low | 0.1 - 3.9 | $10 | 71 | | None | 0.0 - 0.0 | N/A | 72 | 73 | ## Third-Party Services 74 | 75 | {{ site.company_name }} uses the following third-party services. If you discover an issue in one of these services, please report it to the appropriate security team. 76 | 77 | 78 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 |
5 |
6 |
7 | 8 | # Project 9 | 10 | _SecurityTemplate_ is a static website template for security pages, powered by Jekyll. It's easy to get started. Clone this repo, edit the configuration files and content to your liking, and publish with [GitHub Pages](https://pages.github.com) or on your own server platform. 11 | 12 | You can [set up a local environment](https://help.github.com/articles/setting-up-your-github-pages-site-locally-with-jekyll/) to test your _SecurityTemplate_ static site, and [push to GitHub](https://help.github.com/articles/using-jekyll-as-a-static-site-generator-with-github-pages/) if desired. 13 | 14 | This project is a rapidly evolving work in progress. We value [contributions](https://github.com/EdOverflow/security-template/blob/master/CONTRIBUTING.md) from the public. Interested in checking out a live demo? Visit [securitytemplate.site](https://securitytemplate.site). 15 | 16 | # Structure 17 | 18 | The template directory structure is as follows: 19 | 20 | ``` 21 | . 22 | ├── 404.html # 404 page. 23 | ├── advisories.md # Security advisories list. 24 | ├── assets # Page assets. 25 | │   ├── css 26 | │   │   └── styles.css 27 | │   └── images 28 | │   └── icon.png 29 | ├── _config.yml # Config file with all your variables. 30 | ├── _drafts 31 | ├── Gemfile 32 | ├── Gemfile.lock 33 | ├── hof.md # Hall of fame page. 34 | ├── _includes 35 | │   └── advisory-list.html 36 | ├── index.md # Security policy. 37 | ├── _layouts 38 | │   ├── default.html 39 | │   └── post.html 40 | ├── LICENSE 41 | ├── _posts 42 | │   └── 2017-07-22-cve-2017-0914.md # Example security advisory. 43 | ├── README.md 44 | └── report.md 45 | ``` 46 | 47 | ![Example policy](https://user-images.githubusercontent.com/4115778/32572136-9d388d50-c4c1-11e7-879c-0de12c411949.png) 48 | 49 | 50 | ## `config.yml` 51 | 52 | * `company_name` — replace this with your organization name 53 | * `email` — replace this with your security contact address 54 | * `bugcrowd_id` — replace this with your [Bugcrowd ID](https://docs.bugcrowd.com/v1.0/docs/embedded-submission-form), if applicable 55 | * `hackerone_url` and `bugcrowd_url` — the /report URL will redirect to one of these, if specified. 56 | 57 | ## `index.md` 58 | 59 | The index file is where your security policy lives. To learn more about writing good security policies, please refer to https://support.hackerone.com/hc/en-us/articles/205624665-How-do-we-write-a-good-policy-. 60 | 61 | ## `advisories.md` 62 | 63 | This is where you can list your security advisories. The list is updated every time you add a security advisory to the `_posts` folder. 64 | 65 | ## `report.md` 66 | 67 | This file should contain contact information for security researchers to use when reporting a security vulnerability. If a HackerOne or Bugcrowd URL is specified in `config.yml`, users will be redirected automatically. You can also use an embedded Bugcrowd submission form. Just uncomment the form, and add your Bugcrowd embed token under `bugcrowd_id` in `_config.yml`. 68 | 69 | ## `hof.md` 70 | 71 | This is your security acknowledgements page. List the details of security researchers that reported valid security issues (and wish to be listed publicly). 72 | 73 | ## `.well-known/security.txt` 74 | 75 | `security-template` contains a security.txt template file. _security.txt_ defines a standard to help organizations define the process for security researchers to safely disclose vulnerabilities via a simple text file. For more on this, please refer to https://securitytxt.org/. 76 | 77 | # Contributing 78 | 79 | We welcome contributions from the public. 80 | 81 | ### Using the issue tracker 💡 82 | 83 | The issue tracker is the preferred channel for bug reports and features requests. 84 | 85 | ### Issues and labels 🏷 86 | 87 | The bug tracker utilizes several labels to help organize and identify issues. 88 | 89 | ### Guidelines for bug reports 🐛 90 | 91 | Use the GitHub issue search — check if the issue has already been reported. 92 | 93 | # Donations 94 | 95 | If you would like to support this project, you can use any of the addresses below: 96 | 97 | **Liberapay:** https://liberapay.com/EdOverflow 98 | 99 | **Bitcoin:** `1E2fZRNrrkCKPnWpKZAsJzByBoyoBURADN` 100 | 101 | **Ethereum:** `0xe98FC23fB4A8762d700c0354979dA5Db6c29Acc3` 102 | --------------------------------------------------------------------------------