Security Radar 27

[gratipay-bot]

← Security Radar 26

---

Docs

http://inside.gratipay.com/howto/sweep-the-radar

Mission

The mission of the security team is to protect our sensitive information.

Scope

• our HackerOne account
• the "Handle Security Issues" document
• Security Team issues
• the legacy Hall of Fame page on gratipay.com
• the @gratipay/security team
• the https://github.com/gratipay/security repo
• the security@gratipay.com email address

Queue

Unclear Risk

https://hackerone.com/reports/117195
https://hackerone.com/reports/161766

Severe Risk

Moderate Risk

https://hackerone.com/reports/127218
https://hackerone.com/reports/128844
https://hackerone.com/reports/143139

Mild Risk

https://hackerone.com/reports/76304
https://hackerone.com/reports/80907
https://hackerone.com/reports/90805
https://hackerone.com/reports/108645
https://hackerone.com/reports/109161

https://hackerone.com/reports/111325
https://hackerone.com/reports/117187
https://hackerone.com/reports/117739
https://hackerone.com/reports/117984
https://hackerone.com/reports/118023

https://hackerone.com/reports/123688
https://hackerone.com/reports/123697
https://hackerone.com/reports/128121
https://hackerone.com/reports/140387

https://hackerone.com/reports/140432

Theoretical Risk

https://hackerone.com/reports/78151
https://hackerone.com/reports/90777
https://hackerone.com/reports/116147
https://hackerone.com/reports/117833
https://hackerone.com/reports/123942

https://hackerone.com/reports/123897
https://hackerone.com/reports/124096
https://hackerone.com/reports/127824
https://hackerone.com/reports/127949
https://hackerone.com/reports/127995

gratipay/gratipay.com#823
https://hackerone.com/reports/137002
https://hackerone.com/reports/138693
https://hackerone.com/reports/143139

https://hackerone.com/reports/161765

[ghost]

Please take a look at the one from last week ;-)

[ghost]

After taking a look at ownCloud's policy, I found:

Q: Where should I report bugs without security implication or hardening / best practise guidance?
A: Please report all non-security bugs as well as general hardening advice at https://github.com/owncloud/core. Rule of thumb: if it on it's own is not directly exploitable it is likely to be hardening.

I guess it's worth to tell the users to do it for our case too. In addition of my last week's suggestion,

Keep "Informative" for best practices and things not seen as a risk, create a Github ticket, link the GH ticket in the report and close the HackerOne report.

[ghost]

Making a PR for one improvement of our policy in the train tomorrow…

EDIT: still working on it :>

[chadwhitacre]

@Nashe Now that you're so ably managing our Security queue 👏 , I've gone ahead and turned off my email notifications for the Gratipay team on HackerOne. I believe I'll still receive notices if you @mention me on HackerOne, but not otherwise. If you aren't sure whether I'm getting your messages, feel free to drop me a line here on the Security Radar on GitHub if there's anything you need me to look at. This is similar to how @mattbk and I handle Freshdesk—he is first-line, bringing me in only as needed—yay for making me less important! 💃

!m @Nashe
!m *

[ghost]

Just to let know that I won't be able to handle any report until Monday. Good weekend to everybody :-)

[chadwhitacre]

Thanks for the heads-up, @Nashe. Bon weekend ! :)