Liberapay
External Program
Submit bugs directly to this organization
Liberapay
We will investigate legitimate reports and make every effort to quickly resolve any vulnerability. Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute authorized conduct.
If legal action is initiated by a third party against you and you have complied with this security policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
It is also important to note, we will not take legal action against you simply for providing us with a proof of concept of the security vulnerability. Please follow the guidelines listed in the Proof of concepts section below to ensure that your proof of concept is detailed enough to demonstrate the issue and still follows the guideline listed above.
Before reporting a potential vulnerability please check that it's not already in our list of known low-risk issues: https://github.com/liberapay/liberapay.com/labels/Defense
You may stumble across something that appears like an issue at first, but turns out to be an accepted risk or not a security vulnerability. We created this section in the hopes that you will not panic if you come across these non-issues.
app-conf-defaults.sql file), but these are simply test credentials and exposing them is an accepted risk.If you are not sure about whether something belongs to us or not, please feel free to either submit a report or email contact {at} edoverflow {dot} com with your questions. If you submit a report, we will let you self-close it afterwards so as not to affect your reputation.
To demonstrate the impact of your findings, please feel free to exploit them against https://liberapay.com/hackerone-target if you can. This will give us an idea of what you are capable of doing against a victim's account on the Liberapay platform.
{F320809}
This dummy account is very privacy oriented and has all the privacy settings enabled.
{F320808}
We have also set up a target team account on https://liberapay.com/hackerone-target-team. Once again, this is a very privacy-oriented team.
{F320813} {F320810}
Finally, there is a target community too: https://liberapay.com/for/hackerone-target-community. Unlike the other targets the community isn't private, so it's supposed to appear in search results.
{F320812}
Don't submit:
The following issue types are excluded from scope:
| Description | Reason |
|---|---|
| Network-level Denial of Service (DoS/DDoS) vulnerabilities. | We do not want you to disrupt any of our services. |
| Low severity issues that can be detected with tools such as Hardenize and Security Headers. | We run regular scans with these services and try to improve our score gradually. |
| Content injection issues. | The severity of this issue is so low that it does not warrant a report. |
| Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.). | In order for CSRF to be a valid issue it must affect some important action such as deleting one's account. |
| Missing cookie flags on non-security-sensitive cookies. | These type of issues do not present a major risk and are usually picked up by scanners. |
| UI and UX bugs (including spelling mistakes). | No comment. |
| 401 injection. | This is usually an accepted risk and we are already aware of this issue: https://github.com/liberapay/liberapay.com/issues/504. |
| Stack traces that disclose information. | All of our projects are open-source therefore this information is usually public knowledge. That said, if you discover a stack trace that discloses information which is not located in our GitHub repositories, please do submit a report. |
| Host header issues without an accompanying proof-of-concept demonstrating vulnerability. | We require a clear proof of concept. |
| Open ports without an accompanying proof-of-concept demonstrating vulnerability. | Same as above. |
| Banner grabbing issues (figuring out what web server we use, etc.). | We will happily share what web servers we are running. |
Missing X-Frame-Options header (Clickjacking) | The lack of X-Frame-Options does not always indicate that a security vulnerability is present. This is an optional header that is only necessary on endpoints where there UI is rendered to invoke state changing actions. We recommend reading this informative post by David Ross: https://plus.google.com/u/0/+DavidRossX/posts/jVrtTRd5yKP |
| Cross-site tracing | In order for Cross-Site Tracing (XST) to really be a significant issue you would need to find an endpoint vulnerable to Cross-site Scripting (XSS). |
CSP uses unsafe-inline | The fact that a CSP includes unsafe-inline is not an issue in itself. In order for you to demonstrate the actual impact of this value, we highly recommend you look for an XSS vulnerability. Try to trigger alert(document.domain). |
| Disclosure of robots.txt file | We are aware that in some cases robots.txt files have been known to disclose sensitive information. In our case we have determined that our robots.txt files do not contain any information that poses a potential security risk. |
| Email spoofing (SPF misconfigurations) | We have accepted the risk that this issue poses and do not believe that it warrants an immediate fix. |
Open redirect using Host header | Open redirects in the Host header are not exploitable. |
| User enumeration | See https://security.stackexchange.com/a/200612/192205. |
As a rule of thumb, pretty much everything listed below is a non-issue:
{F304365}
| Issue type | How to prove it |
|---|---|
| XSS | Trigger the opening of an alert window that displays the URL of the vulnerable page, by executing alert(location.href). |
| Python RCE | Get the output of os.uname(). |
| Shell RCE | Get the output of uname -a. |
| SQL RCE | Get the version number of the SQL server with select version();. |
| Unvalidated redirect | Set the redirect endpoint to http://example.com if possible. |
| CSRF | Provide the source code of your exploit and explain how it works, especially why the anti-CSRF cookie and the SameSite attribute of the session cookie don't prevent exploiting the vulnerability. |
| SSRF | Use a service like Request Bin to record the request sent by the vulnerable server. |
| LFI and RFI | Execute a harmless script. |
We will make a best effort to meet the following expectations for hackers participating in this program:
Time to first response: 2 business days or less. Time to triage: 3 business days or less.
We encourage hackers to read Web Hacking 101 and Breaking into Information Security: Learning the Ropes 101 to get a good idea of the type of issues that we are looking for.
The term "severity" is frequently used interchangeably with "impact" or "priority". This section defines our terminology in order to prevent any potential confusion. We use the Oxford Dictionaries' definition of "severity" and Information Technology Infrastructure Library's definitions of the two latter terms.
Severity
The fact or condition of being severe.
Impact
A measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority.
Priority
A category used to identify the relative importance of an incident, problem or change. Priority is based on impact and urgency, and is used to identify required times for actions to be taken.
Whenever we triage a report, a CVSS v3.0 Base Score metric is set which evaluates the technical severity of the reported issue and allows us to prioritise the fix. Once a patch has been submitted and verified, we will then evaluate the total CVSS score by including the Environmental Score.
Thank you for helping us keep Liberapay safe!