security, donations and about
This commit is contained in:
parent
d47e7ae8b4
commit
b264d56dcd
9 changed files with 223 additions and 36 deletions
|
@ -75,6 +75,7 @@
|
|||
[[footer]]
|
||||
name = "Security"
|
||||
url = "/security"
|
||||
identifier = "security"
|
||||
weight = 10
|
||||
|
||||
[[footer]]
|
||||
|
|
|
@ -70,7 +70,7 @@ code is freely available(both as in freedom and beers) at [our
|
|||
GitHub](https://github.com/mCaptcha/).
|
||||
|
||||
|
||||
## Resources:
|
||||
## Resources
|
||||
|
||||
- [guard](https://github.com/mCaptcha/guard) - mCaptcha backend `AGPL`
|
||||
- [frontend library](https://github.com/mCaptcha/browser) - mCaptcha frontend library. `MIT/APACHE`
|
||||
|
|
|
@ -7,5 +7,14 @@ draft: false
|
|||
images: []
|
||||
---
|
||||
|
||||
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
|
||||
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
||||
## Matrix Community
|
||||
|
||||
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net)!
|
||||
|
||||
## Lead developer email
|
||||
|
||||
Write to me at [realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
||||
|
||||
## Bug reports
|
||||
|
||||
We GitHub for managing tickets
|
||||
|
|
|
@ -7,13 +7,15 @@ draft: false
|
|||
images: []
|
||||
---
|
||||
|
||||
## Matrix Community
|
||||
|
||||
We have a [Matrix
|
||||
community](https://matrix.to/#/+mcaptcha:matrix.batsense.net), come say
|
||||
hi!.
|
||||
|
||||
You can find
|
||||
me([@realaravinth](/contributors/aravinth-manivannan/))
|
||||
on the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net),
|
||||
on [GitHub](https://github.com/realaravinth) or email me at
|
||||
## Lead developer
|
||||
|
||||
You can find me([@realaravinth](/contributors/aravinth-manivannan/)) on
|
||||
the [Matrix](https://matrix.to/#/@realaravinth:matrix.batsense.net), on
|
||||
[GitHub](https://github.com/realaravinth) or email me at
|
||||
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
|
||||
|
|
|
@ -15,7 +15,7 @@ Some of the payment options are anonymous. You can optionally send
|
|||
me([@realaravinth](/contributors/aravinth-manivannan/)) so that I can
|
||||
thank you :)
|
||||
|
||||
## XMR:
|
||||
## XMR
|
||||
|
||||
```
|
||||
85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
|
||||
|
@ -28,7 +28,7 @@ WH3ngC8Zi7bUYGUifdXb54Xuz41kcu2pqgGFuAYp3VSh5JsR
|
|||
caption="<em>Monero address QR code</em>"
|
||||
>}}
|
||||
|
||||
## Liberapay:
|
||||
## Liberapay
|
||||
|
||||
<script src="https://liberapay.com/realaravinth/widgets/button.js"></script>
|
||||
|
||||
|
|
|
@ -1,11 +1,146 @@
|
|||
---
|
||||
title: "Community"
|
||||
description: "Drop us an email."
|
||||
title: "Security"
|
||||
description: "mCaptcha security policies."
|
||||
date: 2021-03-10
|
||||
lastmod: 2021-03-10 20:48
|
||||
draft: false
|
||||
images: []
|
||||
identifiers: "security"
|
||||
layout: "security"
|
||||
toc: true
|
||||
---
|
||||
|
||||
Come say hi at our [Matrix community](https://matrix.to/#/+mcaptcha:matrix.batsense.net) or write to me at
|
||||
[realaravinth@batsense.net](mailto:realaravinth@batsense.net)!
|
||||
Security is at the heart of mCaptcha. If you find any discrepancies in
|
||||
our software(see listing on our [GitHub](https://github.com/mCaptcha),
|
||||
services available at
|
||||
|
||||
## Rules:
|
||||
|
||||
### Before you start
|
||||
|
||||
- Check the list of domains that are in scope for the Bug Bounty program
|
||||
and the list of targets for useful information for getting started.
|
||||
|
||||
- Check the list of bugs that have been classified as ineligible.
|
||||
|
||||
- Check our changelog(on our GitHub repositories) for recently launched features.
|
||||
|
||||
- Never attempt non-technical attacks such as social engineering,
|
||||
phishing, or physical attacks against our employees, users, or
|
||||
infrastructure.
|
||||
|
||||
When in doubt, contact
|
||||
me([@realaravinth](/contributors/aravinth-manivannan/)) at
|
||||
[realaravinth@batense.net](mailto:realaravinth@batsense.net).
|
||||
|
||||
### Performing your research
|
||||
|
||||
- Do not impact other users with your testing, this includes testing
|
||||
vulnerabilities with CAPTCHA credentials and account credentials
|
||||
organizations you do not own. If you are attempting to find an
|
||||
authorization bypass, you must use accounts you own.
|
||||
|
||||
- The following are never allowed for research. We may
|
||||
suspend your mCaptcha account for:
|
||||
|
||||
- Performing distributed denial of service (DDoS) or other volumetric
|
||||
attacks. Sure, we are a DDos protection company, but with sufficient
|
||||
resources and motivation, it is possible to take us down. For this
|
||||
reason, we request you to not hammer us.
|
||||
|
||||
- Spamming content Large-scale vulnerability scanners, scrapers, or
|
||||
automated tools which produce excessive amounts of traffic.
|
||||
|
||||
Note: We do allow the use of automated tools so long as they do
|
||||
not produce excessive amounts of traffic. For example, running
|
||||
one nmap scan against one host is allowed, but sending 65,000
|
||||
requests in two minutes using Burp Suite Intruder is excessive.
|
||||
|
||||
- Researching denial-of-service attacks is allowed only if you follow
|
||||
these rules:
|
||||
|
||||
- There are no limits for researching denial of service
|
||||
vulnerabilities against your own instance of mCaptcha server.
|
||||
|
||||
We strongly recommend/prefer this method for researching
|
||||
denial of service issues.
|
||||
|
||||
- If you choose to test on mCaptcha proper (i.e.
|
||||
[https://mcaptcha.org](https://mcaptcha.org) or [https://mcaptcha.io](https://mcaptcha.io)):
|
||||
- Research must be performed using credentials you own.
|
||||
- Stop immediately if you believe you have affected the
|
||||
availability of our services. Don’t worry about demonstrating
|
||||
the full impact of your vulnerability, our team
|
||||
will be able to determine the impact.
|
||||
|
||||
### Handling personally identifiable information (PII)
|
||||
|
||||
- Personally identifying information (PII) includes:
|
||||
|
||||
- legal and/or full names
|
||||
- names or usernames combined with other identifiers like phone numbers or email addresses
|
||||
- health or financial information (including insurance information, social security numbers, etc.)
|
||||
- information about political or religious affiliations
|
||||
- information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
|
||||
|
||||
- Do not intentionally access others’ PII. If you suspect a service
|
||||
provides access to PII, limit queries to your own personal
|
||||
information.
|
||||
|
||||
- Report the vulnerability immediately and do not attempt to access any
|
||||
other data. We will assess the scope and impact of the PII exposure.
|
||||
|
||||
- Limit the amount of data returned from services. For SQL injection,
|
||||
for example, limit the number of rows returned
|
||||
|
||||
- You must delete all your local, stored, or cached copies of data
|
||||
containing PII as soon as possible. We may ask you to sign a
|
||||
certificate of deletion and confidentiality agreement regarding the
|
||||
exact information you accessed. We may ask you for the usernames and
|
||||
IP addresses used during your testing to assess the impact of the
|
||||
vulnerability.
|
||||
|
||||
### Reporting your vulnerability
|
||||
|
||||
- Please include written instructions for reproducing the
|
||||
vulnerability.
|
||||
|
||||
- When reporting vulnerabilities you must keep all information on in our
|
||||
email correspondence. Do not post information to video-sharing or
|
||||
pastebin sites.
|
||||
|
||||
- For vulnerabilities involving personally identifiable information,
|
||||
please explain the kind of PII you believe is exposed and limit the
|
||||
amount of PII data included in your bug report. For textual
|
||||
information and screenshots, please only include redacted data in your
|
||||
bug report.
|
||||
|
||||
- During the course of an investigation, it may take time to resolve
|
||||
the issue you have reported. We ask that you refrain from publicly
|
||||
disclosing details regarding an issue you’ve reported until the fix has
|
||||
been publicly made available.
|
||||
|
||||
### Legal safe harbor:
|
||||
|
||||
We currently don't have any legal policies in place but you can rest
|
||||
assured that as long as your research adheres to the above rules, your
|
||||
security research and vulnerability disclosure activities are considered
|
||||
as "authorized".
|
||||
|
||||
A detailed policy based on this sentiment is in the works.
|
||||
|
||||
## Scope:
|
||||
|
||||
mCaptcha runs a number of services. Only domains listed below are are
|
||||
eligible for security research. Any mCaptcha-owned domains not listed
|
||||
below are _not_ in scope and are _not_ covered by our [legal safe
|
||||
harbor](./#legal-safe-harbor)
|
||||
|
||||
### mcaptcha.org
|
||||
|
||||
- mcaptcha.org
|
||||
- demo.mcaptcha.org
|
||||
- demo2.mcaptcha.org
|
||||
|
||||
### mcaptcha.io
|
||||
|
||||
- mcaptcha.io
|
||||
|
|
|
@ -13,7 +13,10 @@
|
|||
{{ .Scratch.Add "class" " list" -}}
|
||||
{{ end -}}
|
||||
<body class="{{ .Scratch.Get "class" }}">
|
||||
|
||||
|
||||
{{ partial "header/header.html" . }}
|
||||
|
||||
<div class="wrap container" role="document">
|
||||
<div class="content">
|
||||
{{ block "main" . }}{{ end }}
|
||||
|
|
|
@ -1,10 +1,30 @@
|
|||
{{ define "main" }}
|
||||
<div class="row justify-content-center">
|
||||
<div class="col-md-12 col-lg-10 col-xl-8">
|
||||
<article>
|
||||
<h1>{{ .Title }}</h1>
|
||||
{{ .Content }}
|
||||
</article>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row flex-xl-nowrap">
|
||||
{{ if ne .Params.toc false -}}
|
||||
<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
|
||||
{{ partial "sidebar/docs-toc.html" . }}
|
||||
</nav>
|
||||
{{ end -}}
|
||||
{{ if .Params.toc -}}
|
||||
<main class="docs-content col-lg-11 col-xl-9">
|
||||
{{ else -}}
|
||||
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
|
||||
{{ end -}}
|
||||
{{ if .Site.Params.options.breadCrumb -}}
|
||||
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
|
||||
<nav aria-label="breadcrumb">
|
||||
<ol class="breadcrumb">
|
||||
{{ partial "main/breadcrumb" . -}}
|
||||
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
|
||||
</ol>
|
||||
</nav>
|
||||
{{ end }}
|
||||
<h1>{{ .Title }}</h1>
|
||||
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
||||
{{ partial "main/headline-hash.html" .Content }}
|
||||
{{ if .Site.Params.editPage -}}
|
||||
{{ partial "main/edit-page.html" . }}
|
||||
{{ end -}}
|
||||
</main>
|
||||
</div>
|
||||
{{ end }}
|
||||
|
|
|
@ -1,14 +1,31 @@
|
|||
{{ define "main" }}
|
||||
<div class="row justify-content-center">
|
||||
<div class="col-md-12 col-lg-10 col-xl-8">
|
||||
<article>
|
||||
<div class="blog-header">
|
||||
<h1>{{ .Title }}</h1>
|
||||
{{ partial "main/blog-meta.html" . }}
|
||||
</div>
|
||||
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
||||
{{ .Content }}
|
||||
</article>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row flex-xl-nowrap">
|
||||
{{ if ne .Params.toc false -}}
|
||||
<nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation">
|
||||
{{ partial "sidebar/docs-toc.html" . }}
|
||||
</nav>
|
||||
{{ end -}}
|
||||
{{ if .Params.toc -}}
|
||||
<main class="docs-content col-lg-11 col-xl-9">
|
||||
{{ else -}}
|
||||
<main class="docs-content col-lg-11 col-xl-9 mx-xl-auto">
|
||||
{{ end -}}
|
||||
{{ if .Site.Params.options.breadCrumb -}}
|
||||
<!-- https://discourse.gohugo.io/t/breadcrumb-navigation-for-highly-nested-content/27359/6 -->
|
||||
<nav aria-label="breadcrumb">
|
||||
<ol class="breadcrumb">
|
||||
{{ partial "main/breadcrumb" . -}}
|
||||
<li class="breadcrumb-item active" aria-current="page">{{ .Title }}</li>
|
||||
</ol>
|
||||
</nav>
|
||||
{{ end }}
|
||||
<h1>{{ .Title }}</h1>
|
||||
<p class="lead">{{ .Params.lead | safeHTML }}</p>
|
||||
{{ partial "main/headline-hash.html" .Content }}
|
||||
{{ if .Site.Params.editPage -}}
|
||||
{{ partial "main/edit-page.html" . }}
|
||||
{{ end -}}
|
||||
{{ partial "main/docs-navigation.html" . }}
|
||||
</main>
|
||||
</div>
|
||||
{{ end }}
|
Loading…
Reference in a new issue