Skip to content

Commit 0f37701

Browse files
authored
Merge pull request #432 from gruntwork-io/apt-1178-vulnerability-disclosure-policy
[APT-1178] vulnerability disclosure policy
2 parents 9487719 + 3cbe4a6 commit 0f37701

File tree

10 files changed

+181
-13
lines changed

10 files changed

+181
-13
lines changed

_data/legal.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,4 +174,11 @@
174174
description: In the past, we charged a one-time deposit of $500 upon signing up. We no longer do this on our current website checkout, so we have removed mention of this from our terms of service.
175175
category: terms-of-service
176176
link: https://github.com/gruntwork-io/gruntwork-io.github.io/commit/d750788700f3f6e27ac4afd7da0cefd837386b1a
177-
date: 2022-02-24
177+
date: 2022-02-24
178+
179+
- guid: 10021
180+
title: Added Our Vulnerability Disclosure Policy
181+
description: As a reflection of our ongoing commitment to security, and in the interest of full transparency, we’ve created a Vulnerability Disclosure Policy. This establishes a formal commitment to our customers, as well as procedures through which any security concerns may be reported to Gruntwork.
182+
category: vulnerability-disclosure-policy
183+
link: https://github.com/gruntwork-io/gruntwork-io.github.io/commit/2d765b5
184+
date: 2022-05-02

_data/sitemap.yml

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -58,16 +58,10 @@
5858
- title: Careers
5959
url: /careers/
6060

61-
- title: Terms of Service
62-
url: /terms/
61+
- title: Security
62+
url: /security/
6363

64-
- title: Privacy Policy
65-
url: /legal/privacy-policy/
66-
67-
- title: Cookie Policy
68-
url: /legal/cookie-policy/
69-
70-
- title: All Legal Docs
64+
- title: Legal
7165
url: /legal
7266

7367
- title: Connect

_layouts/policy.html

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
---
2+
layout: default
3+
---
4+
5+
<div class="main">
6+
<div class="section">
7+
<div class="container">
8+
<div class="row">
9+
<div class="col-xs-12">
10+
<h1>{{ page.title }}</h1>
11+
<p><em>Last Updated: {{ page.modified_date }}</em></p>
12+
</div>
13+
</div>
14+
<div class="row">
15+
<div class="col-xs-12">
16+
{{content}}
17+
</div>
18+
</div>
19+
</div>
20+
</div>
21+
</div>

pages/feed/index.html

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
layout: default
3-
title: Legal Feed
4-
excerpt: Gruntwork Legal and Privacy Updates.
3+
title: Contract & Policy Changelog
4+
excerpt: A history of all updates to Gruntwork contracts and policies.
55
permalink: /legal/feed/
66
redirect_from: /feed/
77
slug: feed
@@ -13,7 +13,6 @@
1313
</div>
1414
<div class="section section-dark">
1515
<div class="container">
16-
<p><a href="/legal">Back to Legal</a></p>
1716
{% include_relative _changes.html %}
1817
</div>
1918
</div>

pages/security/_commitment.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
<h3>Our Commitment</h3>
2+
<p>At Gruntwork, we understand the critical importance of security, both with respect to our customers’ information, as well as the infrastrucuture our customers build using our IaC library. Gruntwork is firmly committed to ensuring the security of its customers and users by protecting their information.</p>
3+
<p>See below for a list of our security policies, or subscribe to our <a href="/legal/feed">RSS feed</a> or <a href="http://eepurl.com/cdOjYX" target="_blank">security mailing list</a> to stay up to date on policy changes and security news.</p>

pages/security/_hero.html

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
<div class="container">
2+
<div class="row">
3+
<div class="col-xs-12">
4+
<h1>{{ page.title }}</h1>
5+
<p class="lead">
6+
{{ page.excerpt }}
7+
</p>
8+
<p>
9+
<a class="btn btn-primary-hollow btn-sm d-inline-block" href="mailto:[email protected]"
10+
>Report a Security Concern</a
11+
>
12+
</p>
13+
</div>
14+
</div>
15+
</div>

pages/security/_policies.html

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
<div class="row row-page-header">
2+
<div class="col-xs-12">
3+
<h3>Security Policies</h3>
4+
<ul style="margin-left: -20px;">
5+
<li>
6+
<a href="/security/vulnerability-disclosure-policy">Vulnerability Disclosure Policy</a>
7+
</li>
8+
</ul>
9+
<h3>Security Updates</h3>
10+
<ul>
11+
<li><strong>Subscribe to our security mailing list.</strong> All Gruntwork subscribers receive notifications related to security releases, vulnerabilities, disclosures, and related security news via our mailing list. <a href="http://eepurl.com/cdOjYX" target="_blank">Subscribe to our security mailing list</a> to receive these updates.</li>
12+
<li><strong>Get policy updates programmatically.</strong> Subscribe to our <a href="/legal.rss">policy RSS feed</a> to be notified when we release updates to our security policies. Note that you may need to cut and paste the RSS URL into your favorite RSS Feed Reader to monitor updates.<br/></li>
13+
<li><strong>View recent policy updates.</strong> <a href="/legal/feed">View changes to our legal and security policies.</a> This is a human-friendly rendering of our RSS feed.</li>
14+
</ul>
15+
</div>
16+
</div>
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<h3>Report a Vulnerability</h3>
2+
<p>We accept vulnerability reports via <a href="mailto:[email protected]">[email protected]</a>. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.</p>
3+
4+
<p>We do not support PGP-encrypted emails. For particularly sensitive information, please reach out to <a href="[email protected]">[email protected]</a> to discuss before sending over.</p>
5+
6+
<p>For more information, please see our <a href="/security/vulnerability-disclosure-policy/">Vulnerability Disclosure Policy.</p>

pages/security/index.html

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
layout: default
3+
title: Security
4+
excerpt: Understand our ongoing commitment to security.
5+
permalink: /security/
6+
slug: security
7+
footer_heading: Talk with our team of DevOps experts now!
8+
---
9+
10+
<div class="main page-support">
11+
<div class="section section-hero section-hero-with-button">
12+
{% include_relative _hero.html %}
13+
</div>
14+
<div class="section section-dark">
15+
<div class="container">
16+
{% include_relative _commitment.html %}
17+
</div>
18+
<div class="container">
19+
{% include_relative _policies.html %}
20+
</div>
21+
<div class="container">
22+
{% include_relative _report-a-vulnerability.html %}
23+
</div>
24+
</div>
25+
</div>
Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
---
2+
layout: policy
3+
title: Vulnerability Disclosure Policy
4+
modified_date: May 2, 2022
5+
permalink: /security/vulnerability-disclosure-policy/
6+
redirect_from: /vulnerability-disclosure-policy/
7+
slug: vulnerability-disclosure-policy-2
8+
---
9+
10+
## Introduction
11+
12+
Gruntwork is committed to recognizing and encouraging responsible disclosure of security vulnerabilities. This policy is intended to give security researchers, external to Gruntwork, clear guidelines for conducting security research and to convey our preferences in how to submit discovered vulnerabilities to us.
13+
14+
Among other things, this policy describes **what systems and types of research** are covered under this policy, **how to send us** vulnerability reports, and **how long** we ask security researchers to wait before publicly disclosing vulnerabilities.
15+
16+
We encourage you to contact us via email at [[email protected]](mailto:[email protected]) to report potential vulnerabilities in our systems.
17+
18+
## Authorization
19+
20+
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be "authorized" under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and any applicable anti-hacking laws such as Cal. Penal Code 502(c) and Gruntwork will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
21+
22+
Please note however that if your security research involves the products, services, or systems of a third party, that third party is not bound by our commitment not to pursue legal action. You should review the disclosure policies of any relevant third parties before beginning your research.
23+
24+
## Guidelines
25+
26+
Under this policy, “research” means activities in which you do the following:
27+
28+
- Notify us as soon as possible after you discover a real or potential security issue.
29+
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data;
30+
- Only use exploits to the extent necessary to confirm a vulnerability’s presence and do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems;
31+
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly; and
32+
- Do not submit a high volume of low-quality reports.
33+
34+
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), **you must stop your test, notify us immediately at [[email protected]](mailto:[email protected]), and not disclose this data to anyone else**.
35+
36+
## Test methods
37+
38+
The following test methods are not authorized:
39+
40+
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data; and
41+
- Physical testing (e.g. office access, open doors, tailgating), social engineering attacks against Gruntwork employees (e.g., phishing, vishing), or any other non-technical vulnerability testing.
42+
43+
## Scope
44+
45+
This policy applies to the following systems and services:
46+
47+
- Source code at [https://github.com/gruntwork-io](https://github.com/gruntwork-io)
48+
- [Gruntwork.io](http://gruntwork.io) website
49+
- Gruntwork portal ([app.gruntwork.io](https://app.gruntwork.io))
50+
51+
**Any service not expressly listed above, such as any connected services, are excluded from scope** and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [[email protected]](mailto:[email protected]) before starting your research.
52+
53+
Though we develop and maintain other internet-accessible systems or services, we ask that *active research and testing* only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may increase the scope of this policy over time.
54+
55+
## Reporting a vulnerability
56+
57+
**We accept vulnerability reports via [[email protected]](mailto:[email protected])**. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
58+
59+
We do not support PGP-encrypted emails. For particularly sensitive information, please reach out to [[email protected]](mailto:[email protected]) to discuss before sending over.
60+
61+
NOTE: *Currently, Gruntwork does not have an official bug bounty program, however we are grateful for efforts to help make our products more secure. Therefore, if you make a security disclosure, we may pay up to $500 cash, depending on the impact of the vulnerability. Please note that by submitting a vulnerability, you acknowledge that payment is completely at the discretion of Gruntwork.*
62+
63+
## What we would like to see from you
64+
65+
In order to help us triage and prioritize submissions, we recommend that your report include the following:
66+
67+
- A description of the location the vulnerability was discovered and the potential impact of exploitation, and
68+
- A detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
69+
70+
If possible, we prefer that reports are submitted in English.
71+
72+
## What you can expect from us
73+
74+
We appreciate the contributions of security researchers and commit to the following:
75+
76+
- If you share contact information, we will acknowledge receipt of your report within 3 business days.
77+
- We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution adequately addresses the vulnerability.
78+
- We may, in our sole discretion, offer to recognize your contribution by providing a reward or public acknowledgement of your efforts.
79+
80+
## Questions
81+
82+
Questions regarding this policy may be sent to [[email protected]](mailto:[email protected]). We also invite you to contact us with suggestions for improving this policy.

0 commit comments

Comments
 (0)