|
|
|
@ -1,4 +1,4 @@ |
|
|
|
bitwarden believes that working with security researchers across the globe is crucial to keeping our |
|
|
|
Bitwarden believes that working with security researchers across the globe is crucial to keeping our |
|
|
|
users safe. If you believe you've found a security issue in our product or service, we encourage you to |
|
|
|
users safe. If you believe you've found a security issue in our product or service, we encourage you to |
|
|
|
notify us. We welcome working with you to resolve the issue promptly. Thanks in advance! |
|
|
|
notify us. We welcome working with you to resolve the issue promptly. Thanks in advance! |
|
|
|
|
|
|
|
|
|
|
|
@ -16,7 +16,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in |
|
|
|
|
|
|
|
|
|
|
|
# In-scope |
|
|
|
# In-scope |
|
|
|
|
|
|
|
|
|
|
|
- Security issues in any current release of bitwarden. This includes the web vault, browser extension, |
|
|
|
- Security issues in any current release of Bitwarden. This includes the web vault, browser extension, |
|
|
|
and mobile apps (iOS and Android). Product downloads are available at https://bitwarden.com. Source |
|
|
|
and mobile apps (iOS and Android). Product downloads are available at https://bitwarden.com. Source |
|
|
|
code is available at https://github.com/bitwarden. |
|
|
|
code is available at https://github.com/bitwarden. |
|
|
|
|
|
|
|
|
|
|
|
@ -24,14 +24,14 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in |
|
|
|
|
|
|
|
|
|
|
|
The following bug classes are out-of scope: |
|
|
|
The following bug classes are out-of scope: |
|
|
|
|
|
|
|
|
|
|
|
- Bugs that are already reported on any of bitwarden's issue trackers (https://github.com/bitwarden), |
|
|
|
- Bugs that are already reported on any of Bitwarden's issue trackers (https://github.com/bitwarden), |
|
|
|
or that we already know of. Note that some of our issue tracking is private. |
|
|
|
or that we already know of. Note that some of our issue tracking is private. |
|
|
|
- Issues in an upstream software dependency (ex: Xamarin, ASP.NET) which are already reported to the |
|
|
|
- Issues in an upstream software dependency (ex: Xamarin, ASP.NET) which are already reported to the |
|
|
|
upstream maintainer. |
|
|
|
upstream maintainer. |
|
|
|
- Attacks requiring physical access to a user's device. |
|
|
|
- Attacks requiring physical access to a user's device. |
|
|
|
- Self-XSS |
|
|
|
- Self-XSS |
|
|
|
- Issues related to software or protocols not under bitwarden's control |
|
|
|
- Issues related to software or protocols not under Bitwarden's control |
|
|
|
- Vulnerabilities in outdated versions of bitwarden |
|
|
|
- Vulnerabilities in outdated versions of Bitwarden |
|
|
|
- Missing security best practices that do not directly lead to a vulnerability |
|
|
|
- Missing security best practices that do not directly lead to a vulnerability |
|
|
|
- Issues that do not have any impact on the general public |
|
|
|
- Issues that do not have any impact on the general public |
|
|
|
|
|
|
|
|
|
|
|
@ -39,7 +39,7 @@ While researching, we'd like to ask you to refrain from: |
|
|
|
|
|
|
|
|
|
|
|
- Denial of service |
|
|
|
- Denial of service |
|
|
|
- Spamming |
|
|
|
- Spamming |
|
|
|
- Social engineering (including phishing) of bitwarden staff or contractors |
|
|
|
- Social engineering (including phishing) of Bitwarden staff or contractors |
|
|
|
- Any physical attempts against bitwarden property or data centers |
|
|
|
- Any physical attempts against Bitwarden property or data centers |
|
|
|
|
|
|
|
|
|
|
|
Thank you for helping keep bitwarden and our users safe! |
|
|
|
Thank you for helping keep Bitwarden and our users safe! |
|
|
|
|
Kyle Spearrin
8 years ago