grammar and typos in security policy

This commit is contained in:
Aravinth Manivannan 2021-05-27 18:24:50 +05:30
parent b264d56dcd
commit 5ff0dc8c9f
Signed by: realaravinth
GPG key ID: AD9F0F08E855ED88

View file

@ -11,18 +11,19 @@ toc: true
Security is at the heart of mCaptcha. If you find any discrepancies in Security is at the heart of mCaptcha. If you find any discrepancies in
our software(see listing on our [GitHub](https://github.com/mCaptcha), our software(see listing on our [GitHub](https://github.com/mCaptcha),
services available at [services available](#scope))
## Rules: ## Rules:
### Before you start ### Before you start
- Check the list of domains that are in scope for the Bug Bounty program - Check the list of domains that are in scope for security research
and the list of targets for useful information for getting started. and the list of targets for useful information for getting started.
- Check the list of bugs that have been classified as ineligible. - Check the list of bugs that have been classified as ineligible.
- Check our changelog(on our GitHub repositories) for recently launched features. - Check our changelog(in our GitHub repositories) for recently launched
features.
- Never attempt non-technical attacks such as social engineering, - Never attempt non-technical attacks such as social engineering,
phishing, or physical attacks against our employees, users, or phishing, or physical attacks against our employees, users, or
@ -36,16 +37,16 @@ me([@realaravinth](/contributors/aravinth-manivannan/)) at
- Do not impact other users with your testing, this includes testing - Do not impact other users with your testing, this includes testing
vulnerabilities with CAPTCHA credentials and account credentials vulnerabilities with CAPTCHA credentials and account credentials
organizations you do not own. If you are attempting to find an of accounts you do not own. If you are attempting to find an
authorization bypass, you must use accounts you own. authorization bypass, you must use accounts you own.
- The following are never allowed for research. We may - The following are never allowed for research. We may
suspend your mCaptcha account for: suspend your mCaptcha account for:
- Performing distributed denial of service (DDoS) or other volumetric - Performing distributed denial of service (DDoS) or other volumetric
attacks. Sure, we are a DDos protection company, but with sufficient attacks. Sure, we are a DDoS protection organisation, but with sufficient
resources and motivation, it is possible to take us down. For this resources and motivation, it is possible to take us down. For this
reason, we request you to not hammer us. reason, we request you to not hurt us.
- Spamming content Large-scale vulnerability scanners, scrapers, or - Spamming content Large-scale vulnerability scanners, scrapers, or
automated tools which produce excessive amounts of traffic. automated tools which produce excessive amounts of traffic.
@ -59,10 +60,9 @@ me([@realaravinth](/contributors/aravinth-manivannan/)) at
these rules: these rules:
- There are no limits for researching denial of service - There are no limits for researching denial of service
vulnerabilities against your own instance of mCaptcha server. vulnerabilities against your own instance of mCaptcha server. **We
strongly recommend/prefer this method for researching denial of
We strongly recommend/prefer this method for researching service issues.**
denial of service issues.
- If you choose to test on mCaptcha proper (i.e. - If you choose to test on mCaptcha proper (i.e.
[https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)): [https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)):
@ -101,12 +101,12 @@ me([@realaravinth](/contributors/aravinth-manivannan/)) at
### Reporting your vulnerability ### Reporting your vulnerability
- Please include written instructions for reproducing the - Reports must include written instructions for reproducing the
vulnerability. vulnerability.
- When reporting vulnerabilities you must keep all information on in our - When reporting vulnerabilities you must keep all information on
email correspondence. Do not post information to video-sharing or restricted to email correspondence with us. Do not post information to
pastebin sites. video-sharing or pastebin sites.
- For vulnerabilities involving personally identifiable information, - For vulnerabilities involving personally identifiable information,
please explain the kind of PII you believe is exposed and limit the please explain the kind of PII you believe is exposed and limit the
@ -121,10 +121,10 @@ me([@realaravinth](/contributors/aravinth-manivannan/)) at
### Legal safe harbor: ### Legal safe harbor:
We currently don't have any legal policies in place but you can rest We currently don't have any legal policies in place but rest assured
assured that as long as your research adheres to the above rules, your that as long as your research adheres to the above rules, your security
security research and vulnerability disclosure activities are considered research and vulnerability disclosure activities are considered as
as "authorized". "authorized".
A detailed policy based on this sentiment is in the works. A detailed policy based on this sentiment is in the works.