Skip to content

Latest commit

 

History

History
52 lines (31 loc) · 3.56 KB

SECURITY.md

File metadata and controls

52 lines (31 loc) · 3.56 KB

Security

Report a vulnerability

Introduction

Wrapped recognizes the importance of contributor efforts to help keep the community and the use of the code in this repository safe.

Please note that this page only refers to the disclosure of software security-related issues.

A valid issue is one that demonstrates a software vulnerability that potentially exploits the the code in this repository or its users. Wrapped will be the sole determiner of whether or not an issue is valid.

Disclosure Requirements

Wrapped does not authorize security research on other entities. Complying with this policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

  • Providing Wrapped a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
  • Making a good faith effort to preserve the confidentiality and integrity of any data.
  • Not defrauding Wrapped users or Wrapped itself in the process of research.
  • Not profiting from or allowing any other party to profit from a vulnerability.
  • Reporting vulnerabilities with conditions, demands, or ransom threats.
  • Wrapped considers Social Engineering attacks against contributors to be out of scope. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Report Evaluation

In order to be deemed valid, a report must demonstrate a software vulnerability in code provided by Wrapped. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Wrapped at its sole discretion, may award bounties for an amount to be determined on a case-by-case basis, based on severity of the vulnerability.

Report Closure

Wrapped reviews all findings that are reported via this policy. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Wrapped will request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.

PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or closure leading up to a resolution.

Scope

This policy scope covers all software vulnerabilities in technology directly released by Wrapped. It does not cover third party services and/or utilities. Nor platforms and/or services that have integrated this code, which are subject to their own bug bounty and/or security-related responsible disclosure programs.

Additionally, all vulnerabilities that require or are related to the following are out of scope:

  • Social engineering
  • Physical security
  • Non-security-impacting UX issues
  • Deprecated Open Source libraries
  • Vulnerabilities or weaknesses in third party applications that integrate with Wrapped
  • If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

Program

We reserve the right to modify this policy or cancel it at any time.