54 lines
No EOL
14 KiB
HTML
54 lines
No EOL
14 KiB
HTML
<!doctype html><html lang=en-us><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="ie=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><link rel=preload as=font href=/fonts/vendor/jost/jost-v4-latin-regular.woff2 type=font/woff2 crossorigin><link rel=preload as=font href=/fonts/vendor/jost/jost-v4-latin-700.woff2 type=font/woff2 crossorigin><link rel=stylesheet href=/main.1d7b9bbcf00913c73e2065e39eee858e0f46e4df74991d5a1e752637e5e62952ca719c4211dfa5893caa677fed84c424a249acaa289e0d7274c90a024fb35e1f.css integrity="sha512-HXubvPAJE8c+IGXjnu6Fjg9G5N90mR1aHnUmN+XmKVLKcZxCEd+liTyqZ3/thMQkokmsqiieDXJ0yQoCT7NeHw==" crossorigin=anonymous><noscript><style>img.lazyload{display:none}</style></noscript><meta name=robots content="index, follow"><meta name=googlebot content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1"><meta name=bingbot content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1"><title>Security - mCaptcha</title><meta name=description content="mCaptcha security policies."><link rel=canonical href=/security/><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="/doks.png"><meta name=twitter:title content="Security"><meta name=twitter:description content="mCaptcha security policies."><meta name=twitter:site content="@"><meta name=twitter:creator content="@"><meta property="og:title" content="Security"><meta property="og:description" content="mCaptcha security policies."><meta property="og:type" content="article"><meta property="og:url" content="/security/"><meta property="og:image" content="/doks.png"><meta property="article:published_time" content="2021-03-10T00:00:00+00:00"><meta property="article:modified_time" content="2021-03-10T00:00:00+00:00"><meta property="og:site_name" content="mCaptcha"><meta property="article:publisher" content="https://www.facebook.com/"><meta property="article:author" content="https://www.facebook.com/"><meta property="og:locale" content="en_US"><script type=application/ld+json>{"@context":"http://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"\/"},{"@type":"ListItem","position":2,"name":"Security","item":"\/security\/"}]}</script><meta name=theme-color content="#fff"><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=manifest href=/site.webmanifest></head><body class="page single"><div class="header-bar fixed-top"></div><header class="navbar fixed-top navbar-expand-md navbar-light"><div class=container><input class="menu-btn order-0" type=checkbox id=menu-btn>
|
||
<label class="menu-icon d-md-none" for=menu-btn><span class=navicon></span></label><a class="navbar-brand order-1 order-md-0 me-auto" href=/>mCaptcha</a>
|
||
<button id=mode class="btn btn-link order-2 order-md-4" type=button aria-label="Toggle mode">
|
||
<span class=toggle-dark><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-moon"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg></span><span class=toggle-light><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-sun"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></span></button><ul class="navbar-nav social-nav order-3 order-md-5"><li class=nav-item><a class=nav-link href=https://github.com/mCaptcha><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-github"><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37.0 00-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44.0 0020 4.77 5.07 5.07.0 0019.91 1S18.73.65 16 2.48a13.38 13.38.0 00-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07.0 005 4.77 5.44 5.44.0 003.5 8.55c0 5.42 3.3 6.61 6.44 7A3.37 3.37.0 009 18.13V22"/></svg><span class="ms-2 visually-hidden">GitHub</span></a></li></ul><div class="collapse navbar-collapse order-4 order-md-1"><ul class="navbar-nav main-nav me-auto order-5 order-md-2"><li class=nav-item><a class=nav-link href=/about/>About</a></li><li class=nav-item><a class=nav-link href=/blog/>Blog</a></li><li class=nav-item><a class=nav-link href=/community/>Community</a></li><li class=nav-item><a class=nav-link href=/contact/>Contact</a></li><li class=nav-item><a class=nav-link href=/docs/prologue/introduction/>Docs</a></li></ul><div class="break order-6 d-md-none"></div><form class="navbar-form flex-grow-1 order-7 order-md-3"><input id=userinput class="form-control is-search" type=search placeholder="Search docs..." aria-label="Search docs..." autocomplete=off><div id=suggestions class="shadow bg-white rounded"></div></form></div></div></header><div class="wrap container" role=document><div class=content><div class="row flex-xl-nowrap"><nav class="docs-toc d-none d-xl-block col-xl-3" aria-label="Secondary navigation"><div class=page-links><h3>On this page</h3><nav id=TableOfContents><ul><li><a href=#rules>Rules:</a><ul><li><a href=#before-you-start>Before you start</a></li><li><a href=#performing-your-research>Performing your research</a></li><li><a href=#handling-personally-identifiable-information-pii>Handling personally identifiable information (PII)</a></li><li><a href=#reporting-your-vulnerability>Reporting your vulnerability</a></li><li><a href=#legal-safe-harbor>Legal safe harbor:</a></li></ul></li><li><a href=#scope>Scope:</a><ul><li><a href=#mcaptchaorg>mcaptcha.org</a></li><li><a href=#mcaptchaio>mcaptcha.io</a></li></ul></li></ul></nav></div></nav><main class="docs-content col-lg-11 col-xl-9"><h1>Security</h1><p class=lead></p><p>Security is at the heart of mCaptcha. If you find any discrepancies in
|
||
our software(see listing on our <a href=https://github.com/mCaptcha>GitHub</a>,
|
||
services available at</p><h2 id=rules>Rules:<a href=#rules class=anchor aria-hidden=true>#</a></h2><h3 id=before-you-start>Before you start<a href=#before-you-start class=anchor aria-hidden=true>#</a></h3><ul><li><p>Check the list of domains that are in scope for the Bug Bounty program
|
||
and the list of targets for useful information for getting started.</p></li><li><p>Check the list of bugs that have been classified as ineligible.</p></li><li><p>Check our changelog(on our GitHub repositories) for recently launched features.</p></li><li><p>Never attempt non-technical attacks such as social engineering,
|
||
phishing, or physical attacks against our employees, users, or
|
||
infrastructure.</p></li></ul><p>When in doubt, contact
|
||
me(<a href=/contributors/aravinth-manivannan/>@realaravinth</a>) at
|
||
<a href=mailto:realaravinth@batsense.net>realaravinth@batense.net</a>.</p><h3 id=performing-your-research>Performing your research<a href=#performing-your-research class=anchor aria-hidden=true>#</a></h3><ul><li><p>Do not impact other users with your testing, this includes testing
|
||
vulnerabilities with CAPTCHA credentials and account credentials
|
||
organizations you do not own. If you are attempting to find an
|
||
authorization bypass, you must use accounts you own.</p></li><li><p>The following are never allowed for research. We may
|
||
suspend your mCaptcha account for:</p><ul><li><p>Performing distributed denial of service (DDoS) or other volumetric
|
||
attacks. Sure, we are a DDos protection company, but with sufficient
|
||
resources and motivation, it is possible to take us down. For this
|
||
reason, we request you to not hammer us.</p></li><li><p>Spamming content Large-scale vulnerability scanners, scrapers, or
|
||
automated tools which produce excessive amounts of traffic.</p><p>Note: We do allow the use of automated tools so long as they do
|
||
not produce excessive amounts of traffic. For example, running
|
||
one nmap scan against one host is allowed, but sending 65,000
|
||
requests in two minutes using Burp Suite Intruder is excessive.</p></li></ul></li><li><p>Researching denial-of-service attacks is allowed only if you follow
|
||
these rules:</p><ul><li><p>There are no limits for researching denial of service
|
||
vulnerabilities against your own instance of mCaptcha server.</p><p>We strongly recommend/prefer this method for researching
|
||
denial of service issues.</p></li><li><p>If you choose to test on mCaptcha proper (i.e.
|
||
<a href=https://mcaptcha.org>https://mcaptcha.org</a> or <a href=https://mcaptcha.io>https://mcaptcha.io</a>):</p><ul><li>Research must be performed using credentials you own.</li><li>Stop immediately if you believe you have affected the
|
||
availability of our services. Don’t worry about demonstrating
|
||
the full impact of your vulnerability, our team
|
||
will be able to determine the impact.</li></ul></li></ul></li></ul><h3 id=handling-personally-identifiable-information-pii>Handling personally identifiable information (PII)<a href=#handling-personally-identifiable-information-pii class=anchor aria-hidden=true>#</a></h3><ul><li><p>Personally identifying information (PII) includes:</p><ul><li>legal and/or full names</li><li>names or usernames combined with other identifiers like phone numbers or email addresses</li><li>health or financial information (including insurance information, social security numbers, etc.)</li><li>information about political or religious affiliations</li><li>information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes</li></ul></li><li><p>Do not intentionally access others’ PII. If you suspect a service
|
||
provides access to PII, limit queries to your own personal
|
||
information.</p></li><li><p>Report the vulnerability immediately and do not attempt to access any
|
||
other data. We will assess the scope and impact of the PII exposure.</p></li><li><p>Limit the amount of data returned from services. For SQL injection,
|
||
for example, limit the number of rows returned</p></li><li><p>You must delete all your local, stored, or cached copies of data
|
||
containing PII as soon as possible. We may ask you to sign a
|
||
certificate of deletion and confidentiality agreement regarding the
|
||
exact information you accessed. We may ask you for the usernames and
|
||
IP addresses used during your testing to assess the impact of the
|
||
vulnerability.</p></li></ul><h3 id=reporting-your-vulnerability>Reporting your vulnerability<a href=#reporting-your-vulnerability class=anchor aria-hidden=true>#</a></h3><ul><li><p>Please include written instructions for reproducing the
|
||
vulnerability.</p></li><li><p>When reporting vulnerabilities you must keep all information on in our
|
||
email correspondence. Do not post information to video-sharing or
|
||
pastebin sites.</p></li><li><p>For vulnerabilities involving personally identifiable information,
|
||
please explain the kind of PII you believe is exposed and limit the
|
||
amount of PII data included in your bug report. For textual
|
||
information and screenshots, please only include redacted data in your
|
||
bug report.</p></li><li><p>During the course of an investigation, it may take time to resolve
|
||
the issue you have reported. We ask that you refrain from publicly
|
||
disclosing details regarding an issue you’ve reported until the fix has
|
||
been publicly made available.</p></li></ul><h3 id=legal-safe-harbor>Legal safe harbor:<a href=#legal-safe-harbor class=anchor aria-hidden=true>#</a></h3><p>We currently don’t have any legal policies in place but you can rest
|
||
assured that as long as your research adheres to the above rules, your
|
||
security research and vulnerability disclosure activities are considered
|
||
as “authorized”.</p><p>A detailed policy based on this sentiment is in the works.</p><h2 id=scope>Scope:<a href=#scope class=anchor aria-hidden=true>#</a></h2><p>mCaptcha runs a number of services. Only domains listed below are are
|
||
eligible for security research. Any mCaptcha-owned domains not listed
|
||
below are <em>not</em> in scope and are <em>not</em> covered by our <a href=./#legal-safe-harbor>legal safe
|
||
harbor</a></p><h3 id=mcaptchaorg>mcaptcha.org<a href=#mcaptchaorg class=anchor aria-hidden=true>#</a></h3><ul><li>mcaptcha.org</li><li>demo.mcaptcha.org</li><li>demo2.mcaptcha.org</li></ul><h3 id=mcaptchaio>mcaptcha.io<a href=#mcaptchaio class=anchor aria-hidden=true>#</a></h3><ul><li>mcaptcha.io</li></ul><p class=edit-page><a href=https://github.com/mCaptcha/website/blob/master/content/security/index.md><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit-2"><path d="M17 3a2.828 2.828.0 114 4L7.5 20.5 2 22l1.5-5.5L17 3z"/></svg>Edit this page on GitHub</a></p></main></div></div></div><footer class="footer text-muted"><div class=container><div class=row><div class="col-lg-8 order-last order-lg-first"><ul class=list-inline><li class=list-inline-item>Powered by <a href=https://gohugo.io/>Hugo</a>, and <a href=https://getdoks.org/>Doks</a></li></ul></div><div class="col-lg-8 order-first order-lg-last text-lg-end"><ul class=list-inline><li class=list-inline-item><a href=/about/>About</a></li><li class=list-inline-item><a href=/donate>Donate</a></li><li class=list-inline-item><a href=/privacy-policy/>Privacy</a></li><li class=list-inline-item><a href=/security>Security</a></li><li class=list-inline-item><a href=https://stats.uptimerobot.com/GK7VLFJnBl>Status</a></li><li class=list-inline-item><a href=/thanks>Thanks</a></li></ul></div></div></div></footer><script src=/main.min.db67f0caa6a5788b691b9509981d6e5943f4b8d829170a674f468d4b23671ce4017c47a0a22116a8fc2f2de556c8b48f1afecd86707066f2f022c5dd83e8ea3c.js integrity="sha512-22fwyqaleItpG5UJmB1uWUP0uNgpFwpnT0aNSyNnHOQBfEegoiEWqPwvLeVWyLSPGv7NhnBwZvLwIsXdg+jqPA==" crossorigin=anonymous defer></script><script src=/index.min.6c5c4982ce0ae1f88212e0cba5a6111cc7d16119ec59cb56f8554ea720aa7e5937f6bfb0d7ce366cd2bdebf6e2014c80a27adfb44e9e7175b253e2010156b73e.js integrity="sha512-bFxJgs4K4fiCEuDLpaYRHMfRYRnsWctW+FVOpyCqflk39r+w1842bNK96/biAUyAonrftE6ecXWyU+IBAVa3Pg==" crossorigin=anonymous defer></script></body></html> |