security, donations and about

2021-05-27 18:12:01 +05:30 · 2021-05-27 18:12:01 +05:30 · b264d56dcd
commit b264d56dcd
parent d47e7ae8b4
9 changed files with 223 additions and 36 deletions
--- a/config/_default/menus.toml
+++ b/config/_default/menus.toml
@ -75,6 +75,7 @@
 [[footer]]
  name = "Security"
  url = "/security"
+  identifier = "security"
  weight = 10

 [[footer]]
--- a/content/blog/say-hello-to-mcaptcha/index.md
+++ b/content/blog/say-hello-to-mcaptcha/index.md
@ -70,7 +70,7 @@ code is freely available(both as in freedom and beers) at [our
 GitHub](https://github.com/mCaptcha/).


-## Resources:
+## Resources

 - [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL`
 - [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE`
--- a/content/community/index.md
+++ b/content/community/index.md
@ -7,5 +7,14 @@ draft: false
 images: []
 ---

-Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
-[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
+## Matrix Community
+
+Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net)!
+
+## Lead developer email
+
+Write to me at [realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
+
+## Bug reports
+
+We GitHub for managing tickets
--- a/content/contact/index.md
+++ b/content/contact/index.md
@ -7,13 +7,15 @@ draft: false
 images: []
 ---

+## Matrix Community

 We have a [Matrix
 community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say
 hi!.

-You can find
-me([@realaravinth](/contributors/aravinth-manivannan/))
-on the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net),
-on [GitHub](https://github.com/realaravinth) or email me at
+## Lead developer
+
+You can find me([@realaravinth](/contributors/aravinth-manivannan/)) on
+the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net), on
+[GitHub](https://github.com/realaravinth) or email me at
 [realaravinth@batense.net](mailto:realaravinth@batsense.net).
--- a/content/donate/index.md
+++ b/content/donate/index.md
@ -15,7 +15,7 @@ Some of the payment options are anonymous. You can optionally send
 me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can
 thank you :)

-## XMR:
+## XMR

 ```
 85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
@ -28,7 +28,7 @@ WH3ngC8Zi7bUYGUifdXb54Xuz41kcu2pqgGFuAYp3VSh5JsR
    caption="<em>Monero address QR code</em>"
 >}}

-## Liberapay:
+## Liberapay

 <script src="https://liberapay.com/realaravinth/widgets/button.js"></script>

--- a/content/security/index.md
+++ b/content/security/index.md
@ -1,11 +1,146 @@
 ---
-title: "Community"
-description: "Drop us an email."
+title: "Security"
+description: "mCaptcha security policies."
 date: 2021-03-10
 lastmod: 2021-03-10 20:48
 draft: false
-images: []
+identifiers: "security"
+layout: "security"
+toc: true
 ---

-Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
-[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
+Security is at the heart of mCaptcha. If you find any discrepancies in
+our software(see listing on our [GitHub](https://github.com/mCaptcha),
+services available at
+
+## Rules:
+
+### Before you start
+
+- Check the list of domains that are in scope for the Bug Bounty program
+  and the list of targets for useful information for getting started.
+
+- Check the list of bugs that have been classified as ineligible.
+
+- Check our changelog(on our GitHub repositories) for recently launched features.
+
+- Never attempt non-technical attacks such as social engineering,
+  phishing, or physical attacks against our employees, users, or
+  infrastructure.
+
+When in doubt, contact
+me([@realaravinth](/contributors/aravinth-manivannan/)) at
+[realaravinth@batense.net](mailto:realaravinth@batsense.net).
+
+### Performing your research
+
+- Do not impact other users with your testing, this includes testing
+  vulnerabilities with CAPTCHA credentials and account credentials
+  organizations you do not own. If you are attempting to find an
+  authorization bypass, you must use accounts you own.
+
+- The following are never allowed for research. We may
+  suspend your mCaptcha account for:
+
+  - Performing distributed denial of service (DDoS) or other volumetric
+    attacks. Sure, we are a DDos protection company, but with sufficient
+    resources and motivation, it is possible to take us down. For this
+    reason, we request you to not hammer us.
+
+  - Spamming content Large-scale vulnerability scanners, scrapers, or
+    automated tools which produce excessive amounts of traffic.
+
+    Note: We do allow the use of automated tools so long as they do
+    not produce excessive amounts of traffic. For example, running
+    one nmap scan against one host is allowed, but sending 65,000
+    requests in two minutes using Burp Suite Intruder is excessive.
+
+- Researching denial-of-service attacks is allowed only if you follow
+  these rules:
+
+  - There are no limits for researching denial of service
+    vulnerabilities against your own instance of mCaptcha server.
+
+    We strongly recommend/prefer this method for researching
+    denial of service issues.
+
+  - If you choose to test on mCaptcha proper (i.e.
+    [https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)):
+    - Research must be performed using credentials you own.
+    - Stop immediately if you believe you have affected the
+      availability of our services. Don’t worry about demonstrating
+      the full impact of your vulnerability, our team
+      will be able to determine the impact.
+
+### Handling personally identifiable information (PII)
+
+- Personally identifying information (PII) includes:
+
+  - legal and/or full names
+  - names or usernames combined with other identifiers like phone numbers or email addresses
+  - health or financial information (including insurance information, social security numbers, etc.)
+  - information about political or religious affiliations
+  - information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
+
+- Do not intentionally access others’ PII. If you suspect a service
+  provides access to PII, limit queries to your own personal
+  information.
+
+- Report the vulnerability immediately and do not attempt to access any
+  other data. We will assess the scope and impact of the PII exposure.
+
+- Limit the amount of data returned from services. For SQL injection,
+  for example, limit the number of rows returned
+
+- You must delete all your local, stored, or cached copies of data
+  containing PII as soon as possible. We may ask you to sign a
+  certificate of deletion and confidentiality agreement regarding the
+  exact information you accessed. We may ask you for the usernames and
+  IP addresses used during your testing to assess the impact of the
+  vulnerability.
+
+### Reporting your vulnerability
+
+- Please include written instructions for reproducing the
+  vulnerability.
+
+- When reporting vulnerabilities you must keep all information on in our
+  email correspondence. Do not post information to video-sharing or
+  pastebin sites.
+
+- For vulnerabilities involving personally identifiable information,
+  please explain the kind of PII you believe is exposed and limit the
+  amount of PII data included in your bug report. For textual
+  information and screenshots, please only include redacted data in your
+  bug report.
+
+- During the course of an investigation, it may take time to resolve
+  the issue you have reported. We ask that you refrain from publicly
+  disclosing details regarding an issue you’ve reported until the fix has
+  been publicly made available.
+
+### Legal safe harbor:
+
+We currently don't have any legal policies in place but you can rest
+assured that as long as your research adheres to the above rules, your
+security research and vulnerability disclosure activities are considered
+as "authorized".
+
+A detailed policy based on this sentiment is in the works.
+
+## Scope:
+
+mCaptcha runs a number of services. Only domains listed below are are
+eligible for security research. Any mCaptcha-owned domains not listed
+below are _not_ in scope and are _not_ covered by our [legal safe
+harbor](./#legal-safe-harbor)
+
+### mcaptcha.org
+
+- mcaptcha.org
+- demo.mcaptcha.org
+- demo2.mcaptcha.org
+
+### mcaptcha.io
+
+- mcaptcha.io
--- a/layouts/_default/baseof.html
+++ b/layouts/_default/baseof.html
@ -13,7 +13,10 @@
    {{ .Scratch.Add "class" " list" -}}
  {{ end -}}
  <body class="{{ .Scratch.Get "class" }}">
+
+
    {{ partial "header/header.html" . }}
+
    <div class="wrap container" role="document">
      <div class="content">
        {{ block "main" . }}{{ end }}
@ -27,4 +30,4 @@
    {{ end }}
    {{ partial "footer/script-footer.html" . }}
  </body>
-</html>
+</html>
--- a/layouts/_default/single.html
+++ b/layouts/_default/single.html
@ -1,10 +1,30 @@
 {{ define "main" }}
-<div class="row justify-content-center">
-  <div class="col-md-12 col-lg-10 col-xl-8">
-    <article>
-      <h1>{{ .Title }}</h1>
-      {{ .Content }}
-    </article>
-  </div>
-</div>
+	<div class="row flex-xl-nowrap">
+		{{ if ne .Params.toc false -}}
+		<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
+			{{ partial "sidebar/docs-toc.html" . }}
+		</nav>
+		{{ end -}}
+		{{ if .Params.toc -}}
+		<main class="docs-content col-lg-11 col-xl-9">
+		{{ else -}}
+		<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
+		{{ end -}}
+			{{ if .Site.Params.options.breadCrumb -}}
+				<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
+				<nav aria-label="breadcrumb">
+					<ol class="breadcrumb">
+						{{ partial "main/breadcrumb" . -}}
+						<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
+					</ol>
+				</nav>
+			{{ end }}
+			<h1>{{ .Title }}</h1>
+			<p class="lead">{{ .Params.lead | safeHTML }}</p>
+			{{ partial "main/headline-hash.html" .Content }}
+			{{ if .Site.Params.editPage -}}
+				{{ partial "main/edit-page.html" . }}
+			{{ end -}}
+		</main>
+	</div>
 {{ end }}
--- a/layouts/blog/single.html
+++ b/layouts/blog/single.html
@ -1,14 +1,31 @@
 {{ define "main" }}
-<div class="row justify-content-center">
-  <div class="col-md-12 col-lg-10 col-xl-8">
-    <article>
-      <div class="blog-header">
-        <h1>{{ .Title }}</h1>
-        {{ partial "main/blog-meta.html" . }}
-      </div>
-      <p class="lead">{{ .Params.lead | safeHTML }}</p>
-      {{ .Content }}
-    </article>
-  </div>
-</div>
-{{ end }}
+	<div class="row flex-xl-nowrap">
+		{{ if ne .Params.toc false -}}
+		<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
+			{{ partial "sidebar/docs-toc.html" . }}
+		</nav>
+		{{ end -}}
+		{{ if .Params.toc -}}
+		<main class="docs-content col-lg-11 col-xl-9">
+		{{ else -}}
+		<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
+		{{ end -}}
+			{{ if .Site.Params.options.breadCrumb -}}
+				<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
+				<nav aria-label="breadcrumb">
+					<ol class="breadcrumb">
+						{{ partial "main/breadcrumb" . -}}
+						<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
+					</ol>
+				</nav>
+			{{ end }}
+			<h1>{{ .Title }}</h1>
+			<p class="lead">{{ .Params.lead | safeHTML }}</p>
+			{{ partial "main/headline-hash.html" .Content }}
+			{{ if .Site.Params.editPage -}}
+				{{ partial "main/edit-page.html" . }}
+			{{ end -}}
+			{{ partial "main/docs-navigation.html" . }}
+		</main>
+	</div>
+{{ end }}