1
0
Fork 0
forked from mCaptcha/website

security, donations and about

This commit is contained in:
Aravinth Manivannan 2021-05-27 18:12:01 +05:30
parent d47e7ae8b4
commit b264d56dcd
Signed by untrusted user: realaravinth
GPG key ID: AD9F0F08E855ED88
9 changed files with 223 additions and 36 deletions

View file

@ -75,6 +75,7 @@
[[footer]] [[footer]]
name = "Security" name = "Security"
url = "/security" url = "/security"
identifier = "security"
weight = 10 weight = 10
[[footer]] [[footer]]

View file

@ -70,7 +70,7 @@ code is freely available(both as in freedom and beers) at [our
GitHub](https://github.com/mCaptcha/). GitHub](https://github.com/mCaptcha/).
## Resources: ## Resources
- [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL` - [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL`
- [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE` - [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE`

View file

@ -7,5 +7,14 @@ draft: false
images: [] images: []
--- ---
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at ## Matrix Community
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net)!
## Lead developer email
Write to me at [realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
## Bug reports
We GitHub for managing tickets

View file

@ -7,13 +7,15 @@ draft: false
images: [] images: []
--- ---
## Matrix Community
We have a [Matrix We have a [Matrix
community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say
hi!. hi!.
You can find ## Lead developer
me([@realaravinth](/contributors/aravinth-manivannan/))
on the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net), You can find me([@realaravinth](/contributors/aravinth-manivannan/)) on
on [GitHub](https://github.com/realaravinth) or email me at the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net), on
[GitHub](https://github.com/realaravinth) or email me at
[realaravinth@batense.net](mailto:realaravinth@batsense.net). [realaravinth@batense.net](mailto:realaravinth@batsense.net).

View file

@ -15,7 +15,7 @@ Some of the payment options are anonymous. You can optionally send
me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can
thank you :) thank you :)
## XMR: ## XMR
``` ```
85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP 85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
@ -28,7 +28,7 @@ WH3ngC8Zi7bUYGUifdXb54Xuz41kcu2pqgGFuAYp3VSh5JsR
caption="<em>Monero address QR code</em>" caption="<em>Monero address QR code</em>"
>}} >}}
## Liberapay: ## Liberapay
<script src="https://liberapay.com/realaravinth/widgets/button.js"></script> <script src="https://liberapay.com/realaravinth/widgets/button.js"></script>

View file

@ -1,11 +1,146 @@
--- ---
title: "Community" title: "Security"
description: "Drop us an email." description: "mCaptcha security policies."
date: 2021-03-10 date: 2021-03-10
lastmod: 2021-03-10 20:48 lastmod: 2021-03-10 20:48
draft: false draft: false
images: [] identifiers: "security"
layout: "security"
toc: true
--- ---
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at Security is at the heart of mCaptcha. If you find any discrepancies in
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)! our software(see listing on our [GitHub](https://github.com/mCaptcha),
services available at
## Rules:
### Before you start
- Check the list of domains that are in scope for the Bug Bounty program
and the list of targets for useful information for getting started.
- Check the list of bugs that have been classified as ineligible.
- Check our changelog(on our GitHub repositories) for recently launched features.
- Never attempt non-technical attacks such as social engineering,
phishing, or physical attacks against our employees, users, or
infrastructure.
When in doubt, contact
me([@realaravinth](/contributors/aravinth-manivannan/)) at
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
### Performing your research
- Do not impact other users with your testing, this includes testing
vulnerabilities with CAPTCHA credentials and account credentials
organizations you do not own. If you are attempting to find an
authorization bypass, you must use accounts you own.
- The following are never allowed for research. We may
suspend your mCaptcha account for:
- Performing distributed denial of service (DDoS) or other volumetric
attacks. Sure, we are a DDos protection company, but with sufficient
resources and motivation, it is possible to take us down. For this
reason, we request you to not hammer us.
- Spamming content Large-scale vulnerability scanners, scrapers, or
automated tools which produce excessive amounts of traffic.
Note: We do allow the use of automated tools so long as they do
not produce excessive amounts of traffic. For example, running
one nmap scan against one host is allowed, but sending 65,000
requests in two minutes using Burp Suite Intruder is excessive.
- Researching denial-of-service attacks is allowed only if you follow
these rules:
- There are no limits for researching denial of service
vulnerabilities against your own instance of mCaptcha server.
We strongly recommend/prefer this method for researching
denial of service issues.
- If you choose to test on mCaptcha proper (i.e.
[https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)):
- Research must be performed using credentials you own.
- Stop immediately if you believe you have affected the
availability of our services. Dont worry about demonstrating
the full impact of your vulnerability, our team
will be able to determine the impact.
### Handling personally identifiable information (PII)
- Personally identifying information (PII) includes:
- legal and/or full names
- names or usernames combined with other identifiers like phone numbers or email addresses
- health or financial information (including insurance information, social security numbers, etc.)
- information about political or religious affiliations
- information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
- Do not intentionally access others PII. If you suspect a service
provides access to PII, limit queries to your own personal
information.
- Report the vulnerability immediately and do not attempt to access any
other data. We will assess the scope and impact of the PII exposure.
- Limit the amount of data returned from services. For SQL injection,
for example, limit the number of rows returned
- You must delete all your local, stored, or cached copies of data
containing PII as soon as possible. We may ask you to sign a
certificate of deletion and confidentiality agreement regarding the
exact information you accessed. We may ask you for the usernames and
IP addresses used during your testing to assess the impact of the
vulnerability.
### Reporting your vulnerability
- Please include written instructions for reproducing the
vulnerability.
- When reporting vulnerabilities you must keep all information on in our
email correspondence. Do not post information to video-sharing or
pastebin sites.
- For vulnerabilities involving personally identifiable information,
please explain the kind of PII you believe is exposed and limit the
amount of PII data included in your bug report. For textual
information and screenshots, please only include redacted data in your
bug report.
- During the course of an investigation, it may take time to resolve
the issue you have reported. We ask that you refrain from publicly
disclosing details regarding an issue youve reported until the fix has
been publicly made available.
### Legal safe harbor:
We currently don't have any legal policies in place but you can rest
assured that as long as your research adheres to the above rules, your
security research and vulnerability disclosure activities are considered
as "authorized".
A detailed policy based on this sentiment is in the works.
## Scope:
mCaptcha runs a number of services. Only domains listed below are are
eligible for security research. Any mCaptcha-owned domains not listed
below are _not_ in scope and are _not_ covered by our [legal safe
harbor](./#legal-safe-harbor)
### mcaptcha.org
- mcaptcha.org
- demo.mcaptcha.org
- demo2.mcaptcha.org
### mcaptcha.io
- mcaptcha.io

View file

@ -13,7 +13,10 @@
{{ .Scratch.Add "class" " list" -}} {{ .Scratch.Add "class" " list" -}}
{{ end -}} {{ end -}}
<body class="{{ .Scratch.Get "class" }}"> <body class="{{ .Scratch.Get "class" }}">
{{ partial "header/header.html" . }} {{ partial "header/header.html" . }}
<div class="wrap container" role="document"> <div class="wrap container" role="document">
<div class="content"> <div class="content">
{{ block "main" . }}{{ end }} {{ block "main" . }}{{ end }}

View file

@ -1,10 +1,30 @@
{{ define "main" }} {{ define "main" }}
<div class="row justify-content-center"> <div class="row flex-xl-nowrap">
<div class="col-md-12 col-lg-10 col-xl-8"> {{ if ne .Params.toc false -}}
<article> <nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
{{ partial "sidebar/docs-toc.html" . }}
</nav>
{{ end -}}
{{ if .Params.toc -}}
<main class="docs-content col-lg-11 col-xl-9">
{{ else -}}
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
{{ end -}}
{{ if .Site.Params.options.breadCrumb -}}
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
{{ partial "main/breadcrumb" . -}}
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
</ol>
</nav>
{{ end }}
<h1>{{ .Title }}</h1> <h1>{{ .Title }}</h1>
{{ .Content }} <p class="lead">{{ .Params.lead | safeHTML }}</p>
</article> {{ partial "main/headline-hash.html" .Content }}
</div> {{ if .Site.Params.editPage -}}
{{ partial "main/edit-page.html" . }}
{{ end -}}
</main>
</div> </div>
{{ end }} {{ end }}

View file

@ -1,14 +1,31 @@
{{ define "main" }} {{ define "main" }}
<div class="row justify-content-center"> <div class="row flex-xl-nowrap">
<div class="col-md-12 col-lg-10 col-xl-8"> {{ if ne .Params.toc false -}}
<article> <nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
<div class="blog-header"> {{ partial "sidebar/docs-toc.html" . }}
</nav>
{{ end -}}
{{ if .Params.toc -}}
<main class="docs-content col-lg-11 col-xl-9">
{{ else -}}
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
{{ end -}}
{{ if .Site.Params.options.breadCrumb -}}
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
{{ partial "main/breadcrumb" . -}}
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
</ol>
</nav>
{{ end }}
<h1>{{ .Title }}</h1> <h1>{{ .Title }}</h1>
{{ partial "main/blog-meta.html" . }}
</div>
<p class="lead">{{ .Params.lead | safeHTML }}</p> <p class="lead">{{ .Params.lead | safeHTML }}</p>
{{ .Content }} {{ partial "main/headline-hash.html" .Content }}
</article> {{ if .Site.Params.editPage -}}
</div> {{ partial "main/edit-page.html" . }}
{{ end -}}
{{ partial "main/docs-navigation.html" . }}
</main>
</div> </div>
{{ end }} {{ end }}