Security Disclosure Policy

Last updated: May 14, 2022

As part of the security community, Noname Security provides tools to other organizations to help with their security posture. We do research and development, create code, and assist our customers and partners with securing their environment. However, we’re human too, and it’s possible, even likely, we’ve got bugs or misconfigurations in our systems. With this in mind, we’d like to leverage the wider community in helping us secure our systems so we can continue to help others.

Our bug bounty program allows us to recognize those whose efforts support us in keeping our systems and customers secure.

Rewards

Response Times

Noname Security strives to respond to reports as follows:

• First response – 5 business days from submission.
• Triage – 10 business days from submission.
• Bounty payout – 10 business days from triage.

We do our best to keep researchers informed throughout the process.

Note that we will need to perform identity verification steps to comply with regulatory requirements such as Know-Your-Customer (KYC) and international banned lists.

Program Rules

To report a vulnerability detected in Noname’s website, infrastructure, or its offered products, please fill out the form below with your email, and a brief description of the attack vector. Include all relevant vulnerability details along with a descriptive set of instructions to reproduce the vulnerability found.

We request the security community to allow us to fix any identified vulnerabilities before releasing the information publicly while adhering to the following:

PLEASE DO: Notify us before announcing the vulnerability on any public forum, both online or in-person.

PLEASE DON’T: Exploit a vulnerability to cause potential damage or view unauthorized data, or disclose a vulnerability to others until it has been resolved.

Additional Guidance

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue is not eligible for a reward.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first eligible report that we receive.
• When multiple vulnerabilities are caused by one underlying issue, we award a single bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Denial of service attacks are prohibited.
• Avoid privacy violations, destruction of data, and interruption or degradation of our service.

Common vulnerabilities to look for across all endpoints:

• Information disclosure (cluster health, internal hostnames, passwords)
• Exploitable TLS vulnerabilities or misconfiguration
• Components with exploitable security vulnerabilities
• Unauthorized or elevated persistent store access
• Sensitive AWS/GCP/Azure metadata exposure
• Cross-tenant administrative access or information disclosure
• REST API vulnerabilities
• OWASP Top 10 vulnerabilities
• CWE-SANS Top 25 Dangerous Bugs
• SQL injections
• Privilege Escalation
• Leakage of Sensitive Data (open S3 buckets, PII/PHI, etc)
• Authentication Bypass
• Remote Code Execution

We are not interested in low impact, purely theoretical or best-practice issues. We don’t consider them eligible for the bounty program.

Here are some examples:

• Broken links
• Denial of service vulnerabilities
• Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)
• HTTP Options header
• Headers like Server/X-Powered-By disclosing version information
• XSS issues in non-current browsers
• Unvalidated reports from automated vulnerability scanners
• CSRF with minimal security implications (logout, DoS, etc.)
• Clickjacking
• Issues related to email spoofing (eg SPF/DMARC)
• DNS issues
• Content spoofing
• Reports that state that software is out of date or vulnerable without a proof of concept
• Missing autocomplete attributes
• Missing cookie flags on non-security sensitive cookies
• SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Client-side caching issues
• Concurrent sessions
• HPKP / HSTS preloading
• Implausible brute force attacks

Technology services owned and hosted by 3rd parties are excluded from this program. Vulnerabilities reported, if hosted by 3rd parties, should be reported to the 3rd party directly.

Vulnerabilities found in non-production environments may be excluded from this policy at our discretion.