-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Contact: mailto:security@northern.tech Preferred-Languages: en Canonical: https://northern.tech/security.txt Hiring: https://northern.tech/careers/open-positions Expires: 2026-05-28T00:00:00z # Security Policy # - Disclose security issues immediately to us # - If you discover a security issue, note down your findings, log out, and stop experimenting as this could damage other users and their data # - Attempts to access, change or delete other users' data is not allowed # - Do not use automated tools which result in high server load (such as brute forcing or (D)DoS approaches) against our production services and websites # - Submissions using these approaches will be ignored and may result in your IP(s) being blocked # - Do not publicly disclose vulnerabilities without coordinating with us, even after the issue has been fixed # - We have to follow a process of responsibly notifying our customers, giving them time to upgrade, etc. # Areas of interest # - Websites: https://northern.tech, https://cfengine.com, https://mender.io, https://alvaldi.com # - Online services: https://hosted.mender.io, https://app.alvaldi.com # - All maintained CFEngine releases # - All maintained Mender releases # Renumeration # - We evalutate whether something is a security issue and do not pay a reward in cases where we do not consider it a security issue # - We do not pay out rewards for previously known / reported issues, only the first report receives a reward # - The decision on severity and the reward amount is made solely by us # - The reward is paid out using Amazon gift cards (not PayPal) # We assign the severity and the according reward to the following levels: # --------------------- # | Severity | Reward | # --------------------- # | S1 | $500 | # | S2 | $250 | # | S3 | $100 | # | S4 | $50 | # --------------------- # The following issues are unlikely to receive a bounty on report # - Issues around rate limits # - Low impact information disclosures such as software version disclosure # - Clickjacking / UI redressing # - Subscription model bypass - issues giving access to paid features you seemingly should not have access to # - Incomplete or missing SPF/DMARC/DKIM records # - Missing Cookie flags # - Missing HTTP Strict Transport Security (HSTS) / Strict-Transport-Security HTTP header # - Vulnerabilities requiring the use of outdated browsers, plugins or platforms # - Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS) # - IIS Tilde File and Directory Disclosure # - CSV Injection # - PHP Info -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEr+jF9DBXwAkxIimfWEIRr2qz7hIFAmg3iXYACgkQWEIRr2qz 7hIPGA/7BJV21YIoc7gynd1EueebGSg0oD7uN6KiqJkMaaeqqUOyCc4SKyAjg2AZ h3FUId/dDQDgeB+fUuVOW0zPFzdToFNtzN+oYr/WzMQKXgMoXwUZh5PKVQt1iXCf HTGi1sHncqCHryWvpP7KD028tmNHS1PNeGZRmZPzhmta9MYTXA1LgsI9bcyntgaz BBBddtYUPCMMtj4QZxVN08ivyJK8M9GZFotZXEBXNd18YEQ3YzUDY+jgdtkZ4ts4 9K+EvzlcujrHdFB4HUM7Dbf/PqcMMztwU0FQhIl679PSezbuksfFhpdf8Z88mptA zMNrtlJf2P+hziSVq0xYbHxy89NGksF1Z65bTe1uJ5yIsGR8c7UKPTJtC3gDAOIl 9hZSEqn05ztp1QtvZMnvYsGmj6bavsrP+DUqegYkQGBtwOyEGxKXGIt4l79z/198 mjso2AeLd+7YRn/UWfSMvP8yU6NbvIg9BCWGrNX9O4mrT59ibny8DE1+jj78eaaF /AvqQ1eOsCFWrZ6/HrpAav3sGuez47b2+QDn2oAu+C5cI1KHqHQCzZlJthwH6n7O /gUg1CC2bhOPQRkttpkARECLL7S7Z8PnlT2WCcaX0dESrwczexctneLw+K4NPaz/ 9HWaTiaj72CsX8pLtm5a6X2pTykCrwwx1jCmN6DwTik+0w0a9og= =8r2u -----END PGP SIGNATURE-----