Coordinated Vulnerability Disclosure
Our dependence on digital infrastructure is ever increasing. This applies to society as a whole, but also to ourselves. It is therefore our opinion that governments and organizations (including ours) should strongly commit to securing our digital infrastructure. We do realize that, in spite of our best intentions and greatest care, vulnerabilities may exist in our systems. If you do happen to find one of these weaknesses, we would love to hear from you so we can resolve the issue.
Scope
In this world of growing digital threats, we know it is important to properly map the risks of our offered services and public exposure. Therefore, we continuously assess the risks of our products and services. Also, to proportionally reward you for your efforts in helping us make our services more secure and resilient, we added a scope for you as security researcher to this CVD.
We make use of several training `websites’ to help our users get familiar with our password manager. Although these websites contain login screens, they are fake: there is no back-end where credentials are stored or where you can actually sign-in. To prevent too many false-positives reports on our CVD policy, we decided to scope the policy to the following web-sites:
Any other domain or subdomain is explicitly excluded from our CVD policy.
However, we do really appreciate your researching expertise in finding vulnerabilities in our password manager. You can download our software as a browser extension from the web stores as mobile apps from the app/playstore. We really appreciate any vulnerabilities you discover in our password manager. Beware that there is a substantial risk you might come to love our vaultless password manager and start using it privately. If so, please tell your friends and family about us! Personal use of the MindYourPass password manager is always free of charge.
We ask you:
- When you are investigating one of our systems, bear in mind the proportionality of the attack. There is no need to demonstrate that when you subject our website to the largest DDos-attack in the history of the internet, the site may become unreachable. We know that. We also understand that if you drive a bulldozer into our office, you will probably be able to snatch one of our laptops.
- This principle of proportionality is also relevant when demonstrating the vulnerability itself. You should not inspect or modify more data than strictly necessary in order to confirm the validity of your finding. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables.
- A vulnerability in one of our systems should be reported as soon as possible by sending an email to cvd@mindyourpass.com.
- You will not share your knowledge of the vulnerability with other parties as long as we have not addressed the issue and we are still within a reasonable timeframe since you reported the issue.
- You will delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability.
What we promise you:
- We will respond to your report within three business days in a detailed manner. We will include an estimate of the time we will require to address the issue. Of course, we will regularly keep you posted on our progress.
- We will resolve the vulnerability as soon as possible. Here too, proportionality is important: the amount of time required to fix a vulnerability depends on several factors, among which the severity and the complexity of the issue at hand.
- Please provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- When you follow the guidelines that are laid out here, we will not take legal action against you regarding your report.
- It is important to us to credit you for what you did - if you wish. We will mention your name in a publication regarding the vulnerability only if you agree to this.
- As a thank you for helping us in better protecting our systems, we would like to reward every report of a vulnerability that was unknown to us at the time. The reward will depend on the severity of the vulnerability and the quality of the report.
- Should you find a vulnerability in third party software that we use and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; you should.