-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Contact: mailto:security@northern.tech Preferred-Languages: en Canonical: https://northern.tech/security.txt Hiring: https://northern.tech/careers/open-positions Expires: 2025-05-01T00:00:00z # Security Policy # - Disclose security issues immediately to us # - If you discover a security issue, note down your findings, log out, and stop experimenting as this could damage other users and their data # - Attempts to access, change or delete other users' data is not allowed # - Do not use automated tools which result in high server load (such as brute forcing or (D)DoS approaches) against our production services and websites # - Submissions using these approaches will be ignored and may result in your IP(s) being blocked # - Do not publicly disclose vulnerabilities without coordinating with us, even after the issue has been fixed # - We have to follow a process of responsibly notifying our customers, giving them time to upgrade, etc. # Areas of interest # - Websites: https://northern.tech, https://cfengine.com, https://mender.io, https://alvaldi.com # - Online services: https://hosted.mender.io, https://app.alvaldi.com # - All maintained CFEngine releases # - All maintained Mender releases # Renumeration # - We evalutate whether something is a security issue and do not pay a reward in cases where we do not consider it a security issue # - We do not pay out rewards for previously known / reported issues, only the first report receives a reward # - The decision on severity and the reward amount is made solely by us # - The reward is paid out using Amazon gift cards (not PayPal) # We assign the severity and the according reward to the following levels: # --------------------- # | Severity | Reward | # --------------------- # | S1 | $500 | # | S2 | $250 | # | S3 | $100 | # | S4 | $50 | # --------------------- # The following issues are unlikely to receive a bounty on report # - Issues around rate limits # - Low impact information disclosures such as software version disclosure # - Clickjacking / UI redressing # - Incomplete or missing SPF/DMARC/DKIM records # - Missing Cookie flags # - Missing HTTP Strict Transport Security (HSTS) / Strict-Transport-Security HTTP header # - Vulnerabilities requiring the use of outdated browsers, plugins or platforms # - Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS) # - IIS Tilde File and Directory Disclosure # - CSV Injection # - PHP Info -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEr+jF9DBXwAkxIimfWEIRr2qz7hIFAmYv5GMACgkQWEIRr2qz 7hJFPw//UKBKXCvykXGrh9iM9mwb83oxdaamoI/F1Z6wWiAVq6sRlOg6MdDRDH26 +lz8AxiiM2SuIq/v3n2YkiSfVDlpDjvUr5ODVPt9V7gVPMkf8bHVqGsdDoDDTuLM XACH0smfsjerpqa0x/cptbUskykSneNchdZleZJeTV0XaFAvG2hiUEeqr+JFthir rzvfrpzrEIrkkiHZWDToNYLDtIIW/TlrCmJDUI+rw/x9CQU279bgoZio7WWsWxdz rzO/6bWO1WnpAo2R0I2TMWxYhtgo5+lXvYOucvA/4jhovsLBxVkaEuoZu8rdSEsc CauqlycYgJYy89Zylz/VUbRJLxqpg4+7+R0FXEkL8r3VMfsDA/vVhjrvRJ3JT3mu BhtkRVJuktWvICC7ue4USSvNltRN2WE+nwWnahT+I5MHB+cYco4onAzITsBl0gMF OddJCx1LGHgecTZaPeJEBmHQcBzOfRSL6RQwZZmDt+vFadChjwJOztgTNoQGG9IY n9qWPEPpT7WGjs76dMK9upYzHFBvWqidogusutKTA5ILpluf1yEHsuDn0G/P9MUu ueOAcj+Kle2AQOskRhtDaPxUiPpZCPOS865MTL+axarn31AHHjHx6xRVc/oDmmaP AePVeE/i7uh84yCRsj4KXTsDTS6MdNLThpbx6SDOo8AbwvQntyo= =ZnYC -----END PGP SIGNATURE-----