From 9fa8c40957e80ebd09daab3bc3b51a9b272994ae Mon Sep 17 00:00:00 2001 From: yashvier kosaraju Date: Tue, 9 Jul 2024 12:25:27 -0700 Subject: [PATCH 1/3] Update Bug_bounty_metrics.md adding a metric for severity of vulns --- bug-bounty/v1/Bug_bounty_metrics.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bug-bounty/v1/Bug_bounty_metrics.md b/bug-bounty/v1/Bug_bounty_metrics.md index 1410591..509b395 100644 --- a/bug-bounty/v1/Bug_bounty_metrics.md +++ b/bug-bounty/v1/Bug_bounty_metrics.md @@ -28,3 +28,6 @@ By charting and measuring specific vulnerability classifications, you gain signa This information can then be provided to your product security and engineering teams to tackle common issues strategically and proactively. Metrics version 1.0 copied from [Sectemplates.com](https://www.sectemplates.com) + +## Volume based on severity +This helps determine the severity of submissions you are getting. As you mature your program, you can try different things to try and increase the P0/P1 submissions. From 5f3fc6060fa453c32bc618a0ba56e4ba9a34bbaa Mon Sep 17 00:00:00 2001 From: yashvier kosaraju Date: Tue, 9 Jul 2024 12:37:37 -0700 Subject: [PATCH 2/3] Create safe-harbour.md adding a safe harbor page --- bug-bounty/v1/safe-harbour.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 bug-bounty/v1/safe-harbour.md diff --git a/bug-bounty/v1/safe-harbour.md b/bug-bounty/v1/safe-harbour.md new file mode 100644 index 0000000..bcebbe8 --- /dev/null +++ b/bug-bounty/v1/safe-harbour.md @@ -0,0 +1,22 @@ +# Safe Harbour Policy + +## What is safe harbor? +A “safe harbor” is a provision that offers protection from liability in certain situations, usually when certain conditions are met. In the context of security research and vulnerability disclosure, it is a statement from an organization that hackers engaged in Good Faith Security Research and ethical disclosure are authorized to conduct such activity and will not be subject to legal action from that organization. + + ## Why do you need safe harbor? + +There are instances where companies have taken legal actions against security researchers when they have reported vulnerabilities. Having a safe harbour policy in place assures researchers about your intent to work with them in good faith. + +Bug bounty platforms will bring this up in your initial conversations as well. + +## Sample Safe Harbour + +When conducting vulnerability research according to this policy, we consider this research to be: + +* Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy; +* Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls; +* Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and +Lawful, helpful to the overall security of the Internet, and conducted in good faith. +* You are expected, as always, to comply with all applicable laws. +* If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further. + From a58eb59e8c445f9f1ae047d24a2d076b432858ce Mon Sep 17 00:00:00 2001 From: yashvier kosaraju Date: Tue, 9 Jul 2024 12:40:39 -0700 Subject: [PATCH 3/3] Update and rename safe-harbour.md to safe-harbor.md spell check --- bug-bounty/v1/{safe-harbour.md => safe-harbor.md} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename bug-bounty/v1/{safe-harbour.md => safe-harbor.md} (91%) diff --git a/bug-bounty/v1/safe-harbour.md b/bug-bounty/v1/safe-harbor.md similarity index 91% rename from bug-bounty/v1/safe-harbour.md rename to bug-bounty/v1/safe-harbor.md index bcebbe8..96cf463 100644 --- a/bug-bounty/v1/safe-harbour.md +++ b/bug-bounty/v1/safe-harbor.md @@ -1,15 +1,15 @@ -# Safe Harbour Policy +# Safe Harbor Policy ## What is safe harbor? A “safe harbor” is a provision that offers protection from liability in certain situations, usually when certain conditions are met. In the context of security research and vulnerability disclosure, it is a statement from an organization that hackers engaged in Good Faith Security Research and ethical disclosure are authorized to conduct such activity and will not be subject to legal action from that organization. ## Why do you need safe harbor? -There are instances where companies have taken legal actions against security researchers when they have reported vulnerabilities. Having a safe harbour policy in place assures researchers about your intent to work with them in good faith. +There are instances where companies have taken legal actions against security researchers when they have reported vulnerabilities. Having a safe harbor policy in place assures researchers about your intent to work with them in good faith. Bug bounty platforms will bring this up in your initial conversations as well. -## Sample Safe Harbour +## Sample Safe Harbor When conducting vulnerability research according to this policy, we consider this research to be: