forked from mCaptcha/website
security, donations and about
This commit is contained in:
parent
d47e7ae8b4
commit
b264d56dcd
9 changed files with 223 additions and 36 deletions
|
@ -75,6 +75,7 @@
|
||||||
[[footer]]
|
[[footer]]
|
||||||
name = "Security"
|
name = "Security"
|
||||||
url = "/security"
|
url = "/security"
|
||||||
|
identifier = "security"
|
||||||
weight = 10
|
weight = 10
|
||||||
|
|
||||||
[[footer]]
|
[[footer]]
|
||||||
|
|
|
@ -70,7 +70,7 @@ code is freely available(both as in freedom and beers) at [our
|
||||||
GitHub](https://github.com/mCaptcha/).
|
GitHub](https://github.com/mCaptcha/).
|
||||||
|
|
||||||
|
|
||||||
## Resources:
|
## Resources
|
||||||
|
|
||||||
- [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL`
|
- [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL`
|
||||||
- [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE`
|
- [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE`
|
||||||
|
|
|
@ -7,5 +7,14 @@ draft: false
|
||||||
images: []
|
images: []
|
||||||
---
|
---
|
||||||
|
|
||||||
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
|
## Matrix Community
|
||||||
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
|
||||||
|
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net)!
|
||||||
|
|
||||||
|
## Lead developer email
|
||||||
|
|
||||||
|
Write to me at [realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
||||||
|
|
||||||
|
## Bug reports
|
||||||
|
|
||||||
|
We GitHub for managing tickets
|
||||||
|
|
|
@ -7,13 +7,15 @@ draft: false
|
||||||
images: []
|
images: []
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Matrix Community
|
||||||
|
|
||||||
We have a [Matrix
|
We have a [Matrix
|
||||||
community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say
|
community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say
|
||||||
hi!.
|
hi!.
|
||||||
|
|
||||||
You can find
|
## Lead developer
|
||||||
me([@realaravinth](/contributors/aravinth-manivannan/))
|
|
||||||
on the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net),
|
You can find me([@realaravinth](/contributors/aravinth-manivannan/)) on
|
||||||
on [GitHub](https://github.com/realaravinth) or email me at
|
the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net), on
|
||||||
|
[GitHub](https://github.com/realaravinth) or email me at
|
||||||
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
|
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
|
||||||
|
|
|
@ -15,7 +15,7 @@ Some of the payment options are anonymous. You can optionally send
|
||||||
me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can
|
me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can
|
||||||
thank you :)
|
thank you :)
|
||||||
|
|
||||||
## XMR:
|
## XMR
|
||||||
|
|
||||||
```
|
```
|
||||||
85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
|
85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
|
||||||
|
@ -28,7 +28,7 @@ WH3ngC8Zi7bUYGUifdXb54Xuz41kcu2pqgGFuAYp3VSh5JsR
|
||||||
caption="<em>Monero address QR code</em>"
|
caption="<em>Monero address QR code</em>"
|
||||||
>}}
|
>}}
|
||||||
|
|
||||||
## Liberapay:
|
## Liberapay
|
||||||
|
|
||||||
<script src="https://liberapay.com/realaravinth/widgets/button.js"></script>
|
<script src="https://liberapay.com/realaravinth/widgets/button.js"></script>
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,146 @@
|
||||||
---
|
---
|
||||||
title: "Community"
|
title: "Security"
|
||||||
description: "Drop us an email."
|
description: "mCaptcha security policies."
|
||||||
date: 2021-03-10
|
date: 2021-03-10
|
||||||
lastmod: 2021-03-10 20:48
|
lastmod: 2021-03-10 20:48
|
||||||
draft: false
|
draft: false
|
||||||
images: []
|
identifiers: "security"
|
||||||
|
layout: "security"
|
||||||
|
toc: true
|
||||||
---
|
---
|
||||||
|
|
||||||
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
|
Security is at the heart of mCaptcha. If you find any discrepancies in
|
||||||
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
our software(see listing on our [GitHub](https://github.com/mCaptcha),
|
||||||
|
services available at
|
||||||
|
|
||||||
|
## Rules:
|
||||||
|
|
||||||
|
### Before you start
|
||||||
|
|
||||||
|
- Check the list of domains that are in scope for the Bug Bounty program
|
||||||
|
and the list of targets for useful information for getting started.
|
||||||
|
|
||||||
|
- Check the list of bugs that have been classified as ineligible.
|
||||||
|
|
||||||
|
- Check our changelog(on our GitHub repositories) for recently launched features.
|
||||||
|
|
||||||
|
- Never attempt non-technical attacks such as social engineering,
|
||||||
|
phishing, or physical attacks against our employees, users, or
|
||||||
|
infrastructure.
|
||||||
|
|
||||||
|
When in doubt, contact
|
||||||
|
me([@realaravinth](/contributors/aravinth-manivannan/)) at
|
||||||
|
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
|
||||||
|
|
||||||
|
### Performing your research
|
||||||
|
|
||||||
|
- Do not impact other users with your testing, this includes testing
|
||||||
|
vulnerabilities with CAPTCHA credentials and account credentials
|
||||||
|
organizations you do not own. If you are attempting to find an
|
||||||
|
authorization bypass, you must use accounts you own.
|
||||||
|
|
||||||
|
- The following are never allowed for research. We may
|
||||||
|
suspend your mCaptcha account for:
|
||||||
|
|
||||||
|
- Performing distributed denial of service (DDoS) or other volumetric
|
||||||
|
attacks. Sure, we are a DDos protection company, but with sufficient
|
||||||
|
resources and motivation, it is possible to take us down. For this
|
||||||
|
reason, we request you to not hammer us.
|
||||||
|
|
||||||
|
- Spamming content Large-scale vulnerability scanners, scrapers, or
|
||||||
|
automated tools which produce excessive amounts of traffic.
|
||||||
|
|
||||||
|
Note: We do allow the use of automated tools so long as they do
|
||||||
|
not produce excessive amounts of traffic. For example, running
|
||||||
|
one nmap scan against one host is allowed, but sending 65,000
|
||||||
|
requests in two minutes using Burp Suite Intruder is excessive.
|
||||||
|
|
||||||
|
- Researching denial-of-service attacks is allowed only if you follow
|
||||||
|
these rules:
|
||||||
|
|
||||||
|
- There are no limits for researching denial of service
|
||||||
|
vulnerabilities against your own instance of mCaptcha server.
|
||||||
|
|
||||||
|
We strongly recommend/prefer this method for researching
|
||||||
|
denial of service issues.
|
||||||
|
|
||||||
|
- If you choose to test on mCaptcha proper (i.e.
|
||||||
|
[https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)):
|
||||||
|
- Research must be performed using credentials you own.
|
||||||
|
- Stop immediately if you believe you have affected the
|
||||||
|
availability of our services. Don’t worry about demonstrating
|
||||||
|
the full impact of your vulnerability, our team
|
||||||
|
will be able to determine the impact.
|
||||||
|
|
||||||
|
### Handling personally identifiable information (PII)
|
||||||
|
|
||||||
|
- Personally identifying information (PII) includes:
|
||||||
|
|
||||||
|
- legal and/or full names
|
||||||
|
- names or usernames combined with other identifiers like phone numbers or email addresses
|
||||||
|
- health or financial information (including insurance information, social security numbers, etc.)
|
||||||
|
- information about political or religious affiliations
|
||||||
|
- information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
|
||||||
|
|
||||||
|
- Do not intentionally access others’ PII. If you suspect a service
|
||||||
|
provides access to PII, limit queries to your own personal
|
||||||
|
information.
|
||||||
|
|
||||||
|
- Report the vulnerability immediately and do not attempt to access any
|
||||||
|
other data. We will assess the scope and impact of the PII exposure.
|
||||||
|
|
||||||
|
- Limit the amount of data returned from services. For SQL injection,
|
||||||
|
for example, limit the number of rows returned
|
||||||
|
|
||||||
|
- You must delete all your local, stored, or cached copies of data
|
||||||
|
containing PII as soon as possible. We may ask you to sign a
|
||||||
|
certificate of deletion and confidentiality agreement regarding the
|
||||||
|
exact information you accessed. We may ask you for the usernames and
|
||||||
|
IP addresses used during your testing to assess the impact of the
|
||||||
|
vulnerability.
|
||||||
|
|
||||||
|
### Reporting your vulnerability
|
||||||
|
|
||||||
|
- Please include written instructions for reproducing the
|
||||||
|
vulnerability.
|
||||||
|
|
||||||
|
- When reporting vulnerabilities you must keep all information on in our
|
||||||
|
email correspondence. Do not post information to video-sharing or
|
||||||
|
pastebin sites.
|
||||||
|
|
||||||
|
- For vulnerabilities involving personally identifiable information,
|
||||||
|
please explain the kind of PII you believe is exposed and limit the
|
||||||
|
amount of PII data included in your bug report. For textual
|
||||||
|
information and screenshots, please only include redacted data in your
|
||||||
|
bug report.
|
||||||
|
|
||||||
|
- During the course of an investigation, it may take time to resolve
|
||||||
|
the issue you have reported. We ask that you refrain from publicly
|
||||||
|
disclosing details regarding an issue you’ve reported until the fix has
|
||||||
|
been publicly made available.
|
||||||
|
|
||||||
|
### Legal safe harbor:
|
||||||
|
|
||||||
|
We currently don't have any legal policies in place but you can rest
|
||||||
|
assured that as long as your research adheres to the above rules, your
|
||||||
|
security research and vulnerability disclosure activities are considered
|
||||||
|
as "authorized".
|
||||||
|
|
||||||
|
A detailed policy based on this sentiment is in the works.
|
||||||
|
|
||||||
|
## Scope:
|
||||||
|
|
||||||
|
mCaptcha runs a number of services. Only domains listed below are are
|
||||||
|
eligible for security research. Any mCaptcha-owned domains not listed
|
||||||
|
below are _not_ in scope and are _not_ covered by our [legal safe
|
||||||
|
harbor](./#legal-safe-harbor)
|
||||||
|
|
||||||
|
### mcaptcha.org
|
||||||
|
|
||||||
|
- mcaptcha.org
|
||||||
|
- demo.mcaptcha.org
|
||||||
|
- demo2.mcaptcha.org
|
||||||
|
|
||||||
|
### mcaptcha.io
|
||||||
|
|
||||||
|
- mcaptcha.io
|
||||||
|
|
|
@ -13,7 +13,10 @@
|
||||||
{{ .Scratch.Add "class" " list" -}}
|
{{ .Scratch.Add "class" " list" -}}
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
<body class="{{ .Scratch.Get "class" }}">
|
<body class="{{ .Scratch.Get "class" }}">
|
||||||
|
|
||||||
|
|
||||||
{{ partial "header/header.html" . }}
|
{{ partial "header/header.html" . }}
|
||||||
|
|
||||||
<div class="wrap container" role="document">
|
<div class="wrap container" role="document">
|
||||||
<div class="content">
|
<div class="content">
|
||||||
{{ block "main" . }}{{ end }}
|
{{ block "main" . }}{{ end }}
|
||||||
|
|
|
@ -1,10 +1,30 @@
|
||||||
{{ define "main" }}
|
{{ define "main" }}
|
||||||
<div class="row justify-content-center">
|
<div class="row flex-xl-nowrap">
|
||||||
<div class="col-md-12 col-lg-10 col-xl-8">
|
{{ if ne .Params.toc false -}}
|
||||||
<article>
|
<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
|
||||||
<h1>{{ .Title }}</h1>
|
{{ partial "sidebar/docs-toc.html" . }}
|
||||||
{{ .Content }}
|
</nav>
|
||||||
</article>
|
{{ end -}}
|
||||||
</div>
|
{{ if .Params.toc -}}
|
||||||
</div>
|
<main class="docs-content col-lg-11 col-xl-9">
|
||||||
|
{{ else -}}
|
||||||
|
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
|
||||||
|
{{ end -}}
|
||||||
|
{{ if .Site.Params.options.breadCrumb -}}
|
||||||
|
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
|
||||||
|
<nav aria-label="breadcrumb">
|
||||||
|
<ol class="breadcrumb">
|
||||||
|
{{ partial "main/breadcrumb" . -}}
|
||||||
|
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
|
||||||
|
</ol>
|
||||||
|
</nav>
|
||||||
|
{{ end }}
|
||||||
|
<h1>{{ .Title }}</h1>
|
||||||
|
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
||||||
|
{{ partial "main/headline-hash.html" .Content }}
|
||||||
|
{{ if .Site.Params.editPage -}}
|
||||||
|
{{ partial "main/edit-page.html" . }}
|
||||||
|
{{ end -}}
|
||||||
|
</main>
|
||||||
|
</div>
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
@ -1,14 +1,31 @@
|
||||||
{{ define "main" }}
|
{{ define "main" }}
|
||||||
<div class="row justify-content-center">
|
<div class="row flex-xl-nowrap">
|
||||||
<div class="col-md-12 col-lg-10 col-xl-8">
|
{{ if ne .Params.toc false -}}
|
||||||
<article>
|
<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
|
||||||
<div class="blog-header">
|
{{ partial "sidebar/docs-toc.html" . }}
|
||||||
<h1>{{ .Title }}</h1>
|
</nav>
|
||||||
{{ partial "main/blog-meta.html" . }}
|
{{ end -}}
|
||||||
</div>
|
{{ if .Params.toc -}}
|
||||||
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
<main class="docs-content col-lg-11 col-xl-9">
|
||||||
{{ .Content }}
|
{{ else -}}
|
||||||
</article>
|
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
|
||||||
</div>
|
{{ end -}}
|
||||||
</div>
|
{{ if .Site.Params.options.breadCrumb -}}
|
||||||
|
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
|
||||||
|
<nav aria-label="breadcrumb">
|
||||||
|
<ol class="breadcrumb">
|
||||||
|
{{ partial "main/breadcrumb" . -}}
|
||||||
|
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
|
||||||
|
</ol>
|
||||||
|
</nav>
|
||||||
|
{{ end }}
|
||||||
|
<h1>{{ .Title }}</h1>
|
||||||
|
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
||||||
|
{{ partial "main/headline-hash.html" .Content }}
|
||||||
|
{{ if .Site.Params.editPage -}}
|
||||||
|
{{ partial "main/edit-page.html" . }}
|
||||||
|
{{ end -}}
|
||||||
|
{{ partial "main/docs-navigation.html" . }}
|
||||||
|
</main>
|
||||||
|
</div>
|
||||||
{{ end }}
|
{{ end }}
|
Loading…
Reference in a new issue