From 8bdd229adb003846f965e1f84ca1763f21548c89 Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Fri, 2 Sep 2022 16:59:38 +0530 Subject: [PATCH] chore: Update security guidelines (#5382) - update security guidelines --- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 37e75995e..0722f9217 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,30 +1,55 @@ -# Security Policy -Chatwoot is looking forward to working with security researchers across the world to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us. +Chatwoot is looking forward to working with security researchers worldwide to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us. ## Reporting a Vulnerability -We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose). +We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose). This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts. -This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts. +If you have any questions about the process, contact security@chatwoot.com. -If you have any questions about the process, feel free to reach out to security@chatwoot.com. +Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media; we're doing our best to respond through Huntr as quickly as possible. + +> Note: Please use the email for questions related to the process. Disclosures should be done via [huntr.dev](https://huntr.dev/) +## Supported versions + +| Version | Supported | +| ------- | -------------- | +| latest | ️✅ | +| Note: Please do not perform testing against Chatwoot production services. Use a `self-hosted instance` to perform tests. +- Remote command execution +- SQL Injection +- Authentication bypass +- Privilege Escalation +- Cross-site scripting (XSS) +- Performing limited admin actions without authorization +- CSRF -Please do not perform testing against Chatwoot production services. Use a self hosted instance to perform tests. +You can learn more about our triaging process [here](https://www.chatwoot.com/docs/contributing-guide/security-reports). -We consider the following to be out of scope, though there may be exceptions. +## Non-Qualifying Vulnerabilities + +We consider the following out of scope, though there may be exceptions. - Missing HTTP security headers -- Self XSS -- HTTP Host Header XSS without working proof-of-concept +- Incomplete/Missing SPF/DKIM +- Reports from automated tools or scanners +- Theoretical attacks without proof of exploitability +- Social engineering +- Reflected file download +- Physical attacks +- Weak SSL/TLS/SSH algorithms or protocols +- Attacks involving physical access to a user's device or a device or network that's already seriously compromised (e.g., man-in-the-middle). +- The user attacks themselves - Incomplete/Missing SPF/DKIM - Denial of Service attacks +- Brute force attacks - DNSSEC -- Social Engineering attacks -If you are not sure about the scope, please create a report. +If you are unsure about the scope, please create a [report](https://huntr.dev/repos/chatwoot/chatwoot/). + ## Thanks