Kyle Spearrin
9 years ago
committed by
GitHub
1 changed files with 43 additions and 0 deletions
@ -0,0 +1,43 @@ |
|||||||
|
bitwarden believes that working with security researchers across the globe is crucial to keeping our |
||||||
|
users safe. If you believe you've found a security issue in our product or service, we encourage you to |
||||||
|
notify us. We welcome working with you to resolve the issue promptly. Thanks in advance! |
||||||
|
|
||||||
|
# Disclosure Policy |
||||||
|
|
||||||
|
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every |
||||||
|
effort to quickly resolve the issue. |
||||||
|
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a |
||||||
|
third-party. We may publicly disclose the issue before resolving it, if appropriate. |
||||||
|
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or |
||||||
|
degradation of our service. Only interact with accounts you own or with explicit permission of the |
||||||
|
account holder. |
||||||
|
|
||||||
|
# In-scope |
||||||
|
|
||||||
|
- Security issues in any current release of bitwarden. This includes the web vault, browser extension, |
||||||
|
and mobile apps (iOS and Android). Product downloads are available at https://bitwarden.com. Source |
||||||
|
code is available at https://github.com/bitwarden. |
||||||
|
|
||||||
|
# Exclusions |
||||||
|
|
||||||
|
The following bug classes are out-of scope: |
||||||
|
|
||||||
|
- Bugs that are already reported on any of bitwarden's issue trackers (https://github.com/bitwarden), |
||||||
|
or that we already know of. Note that some of our issue tracking is private. |
||||||
|
- Issues in an upstream software dependency (ex: Xamarin, ASP.NET) which are already reported to the |
||||||
|
upstream maintainer. |
||||||
|
- Attacks requiring physical access to a user's device. |
||||||
|
- Self-XSS |
||||||
|
- Issues related to software or protocols not under bitwarden's control |
||||||
|
- Vulnerabilities in outdated versions of bitwarden |
||||||
|
- Missing security best practices that do not directly lead to a vulnerability |
||||||
|
- Issues that do not have any impact on the general public |
||||||
|
|
||||||
|
While researching, we'd like to ask you to refrain from: |
||||||
|
|
||||||
|
- Denial of service |
||||||
|
- Spamming |
||||||
|
- Social engineering (including phishing) of bitwarden staff or contractors |
||||||
|
- Any physical attempts against bitwarden property or data centers |
||||||
|
|
||||||
|
Thank you for helping keep bitwarden and our users safe! |
||||||
Loading…
Reference in new issue