set up a security program

[chadwhitacre]

Now that Aspen is out from under Gratipay's GitHub org, it would seem natural to move it out from under Gratipay's HackerOne program as well.

@Changaco Want to set us up on HackerOne?

[Changaco]

I've set up https://hackerone.com/aspen/ as best as I could and sent you an invite.

[Changaco]

I've received this email:

Hello,

Thanks for contacting HackerOne. What is your connection to aspen.io?

Regards,

[chadwhitacre]

You're one of the maintainers?

[chadwhitacre]

They do have a fairly rigorous onboarding process (last week I watched the Center for Open Science get started with HackerOne). They may ask us for an email @aspen.io.

[Changaco]

I've sent a response, with a link to this issue.

[chadwhitacre]

I've accepted the invite to join the Aspen team on HackerOne.

[chadwhitacre]

Got a confirmation email on security@gratipay.com and gave them the green light.

[chadwhitacre]

I added the word "know" to our policy:

You know what to do and what not to do, we won't bore you with a lengthy policy.

[Changaco]

HackerOne doesn't like my security policy one-liner:

We’re concerned about your one-line Security Page: "You know what to do and what not to do, we won't bore you with a lengthy policy."

Your policy is your best defense against uncontrolled, unfocused and unguided testing, likely resulting in submissions you would not care about. It is where you can say automated testing and unthrottled scanners are discouraged. Guidance and expectation management is what the Security Page is all about. We recommend you use our default text, attached below with modifications as you see fit. I have taken the liberty of changing your Policy to the text below.

It doesn't have to be the text below, but we do require a bit more guidance for hackers to prevent a bad experience for both sides. We hope you understand and support this goal.

I've modified the text to better fit Aspen's case, and answered the email.

[Changaco]

A couple more questions from HackerOne:

About how big is your team that will handling and fixing incoming reports? This will better inform me of how many hackers we should have in your first batch of invites.

Also, when would you like to start receiving reports?

[Changaco]

So, we'll be 3 handling the HackerOne reports, right? Us + @pjz.

That leaves the last question: when do we want to start? Once #2 is done?

[Changaco]

GitLab 8.6 adds support for "Confidential Issues". If we had that, would we still want a HackerOne program for Aspen?

[chadwhitacre]

@Changaco HackerOne also provides attention from security researchers, and a way to incentivize them (reputation + bounties).

[chadwhitacre]

HackerOne also provides attention from security researchers, and a way to incentivize them (reputation + bounties).

Do we want that?

[chadwhitacre]

We've got a security issue in Gratipay's HackerOne that should be refiled against Aspen, soooo ...

That leaves the last question: when do we want to start?

Now! :-)

I've launched our private program at HackerOne.

Once we're through their review I'll invite the researcher to refile at Aspen.

[Changaco]

Okay. I've canceled pjz's invite. I also wanted to update the policy (we have DKIM now) but the editor isn't letting me do it.

[chadwhitacre]

Hi whit537,

Thank you for requesting approval for your HackerOne bug bounty program.

During this process, a HackerOne representative may contact you to confirm certain account and/or billing information. To expedite your approval, please respond to any requests, and make sure that your HackerOne email is your work email that matches your program's primary domain.

If your account is approved, you can expect reports from hackers within the first 7 days.

To learn more about how to handle your first report, you can learn more here: https://support.hackerone.com/hc/en-us/sections/201143105-Reports .

Thanks,
HackerOne team

[chadwhitacre]

but the editor isn't letting me do it.

Can you tell whether that's because we're currently under review?

[Changaco]

My bad, it's working, I just had to start typing something to get it to stop moving the cursor to the end all the time.

[TheHmadQureshi]

@whit537 I haven't got any invite for Aspen bounty program. Are we working on that?

[chadwhitacre]

Hmm ... seeing this on our H1 program for Aspen:

Your program is currently pending review. We'll get back to you within 2 business days to communicate next steps.

[chadwhitacre]

Sent to support@H1 from private email:

Subject: Aspen program?

Greetings! We're still "pending review" for our program for Aspen. Any update?

https://hackerone.com/aspen/

P.S. Tracking on our side here:

#3

[chadwhitacre]

From HackerOne:

Your program is currently being reviewed and I will get back to you shortly.

Are you interested in vulns in the framework or also in the website? Do you mind explicitly stating the scope in your policy?

---

Thanks, []! Mostly the framework. I've added a "Scope" section to our program.

To wit:

Scope

We are primarily looking for vulnerabilities in the framework itself. Vulnerabilities in aspen.io will also be considered.

[chadwhitacre]

Thank you for adding the scope.

Your program has been approved.

If you decide to move your program from private to public I have a few tips that other programs have found to be helpful. You have the ability to set Signal Requirements to help control the initial influx of reports. We recommend setting strict signal requirements the day you launch publicly, then gradually open up to broader audience at a pace that works for you and your team.

Please let me know if you have any questions.

[chadwhitacre]

I guess that's that!

[chadwhitacre]

@Changaco — @TheHmadQureshi is interested in joining Aspen's HackerOne team to help with triage. Any objection?

[Changaco]

No objection. :-)

[chadwhitacre]

@TheHmadQureshi Invite sent! :-)

[ghost]

On Gratipay's HackerOne program, I got a report related to a (supposed but very likely) vulnerability in aspen. I remembered that you were opening a program for aspen too but http://aspen.io/security.txt still indicates to use Gratipay's one instead.

What should I say to the researcher? Maybe do you want his username so you can invite him to the private program?

[chadwhitacre]

I remembered that you were opening a program for aspen too but http://aspen.io/security.txt still indicates to use Gratipay's one instead.

Good catch! Noted at AspenWeb/aspen.io#1 (comment).

What should I say to the researcher? Maybe do you want his username so you can invite him to the private program?

Sounds like a good idea.