Vulnerability Disclosure Policy

Introduction

Hello security researcher!

Security and privacy is not just important to polypoly, but at the core of our business. polypoly appreciates your effort to help us build a new, secure and transparent data economy.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, the polypoly Information Security Team wants to hear from you.

This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

All legitimate reports will be investigated and if required the problem will be fixed or mitigated as soon as possible. We ask that you follow this Vulnerability Disclosure Policy, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services during your research.

In order to protect our customers and members, polypoly kindly asks that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and have informed our customers, members and partners, if needed.

Scope

This policy applies to any digital assets (including public facing websites) owned, operated, or maintained by polypoly.

A reference to "polypoly" in this policy means any of the following organisations:

  • pc polypoly coop SCE mbH – "The polypoly Cooperative"
  • polypoly Enterprise GmbH – "The polypoly Enterprise"
  • polypoly Foundation gGmbH – "The polypoly Foundation"

In-Scope Domains

  • polypoly.coop
  • polypoly.com
  • polypoly.org
  • polypoly.tech
  • polypoly.eu
  • polypoly.net
  • polypoly-business.com
  • polypoly-citizens.eu

In-Scope Applications

polyPod:

Out of Scope

Any asset or other equipment not owned by polypoly is out of scope.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Out-of-Scope Domains

  • join.polypoly.coop (hosted by our payment provider elopage)

Out-of-Scope Activities

Any of the following activities are prohibited and out of scope:

  • all activities, especially those that modify or delete existing data, cause any interruption to normal operations or intentionally viewing any files or data beyond what is needed to prove a vulnerability
  • compromising or attempting to compromise polypoly staff or service accounts
  • Denial of Service (DoS) or brute force attacks against polypoly and its services
  • physical attacks against polypoly staff, offices, and data centers
  • social engineering of polypoly staff, contractors, vendors, or service providers
  • knowingly posting, transmitting, uploading, linking to, or sending any malware
  • pursuing vulnerabilities which send unsolicited bulk messages (spam) or any other form of unauthorised messages

Out-of-Scope Security Issues

We kindly ask you to not send any reports about security issues without any proven impact.

This includes:

  • Lack of HTTP security headers (CSP, X-XSS, etc.) on non-sensitive endpoints
  • Missing cookie flags for non-sensitive cookies
  • Self-XSS that cannot be used to exploit other users
  • CORS misconfiguration on non-sensitive endpoints
  • Cross-site Request Forgery with no impact
  • HTTP Request smuggling without any proven impact
  • Disclosure of non-sensitive information (such as version numbers or image metadata)
  • Absence of rate limits
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms
  • IDN homograph attacks
  • Reverse tabnabbing
  • Lack of best practices without exploitable proof of concept

Our Commitments

When responsibly disclosing vulnerabilities and working with us according to this policy, you can expect us to:

  • Respond to your report promptly, and work with you to understand and validate your report;
  • Strive to keep you informed about the progress of a vulnerability as it is processed;
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints;
  • Extend Safe Harbor for your vulnerability research that is related to this policy; and
  • If you wish to report an issue anonymously, please state this in your communication, and we will not contact you or retain your personal information.

Handling of Security Reports

In response to your initial submission email you will receive an acknowledgement reply email from the polypoly Information Security Team. We aim to respond within one working day of your report being received.

Following the initial contact, our Information Security Team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope. We aim to respond within 7 working days of your report being received.

From this point, necessary remediation work will be assigned to the appropriate polypoly teams and/or supplier(s). Priority for security bug fixes and/or mitigations will be assigned based on the severity and complexity of exploitation. If necessary, polypoly will obtain a CVE number for the vulnerability.

Our goal is to remediate critical security issues within 7 working days of triage being finished, and within a maximum of 30 working days for any other issue. However, especially when third-party dependencies and external suppliers are involved, remediation may take longer, in which case we will share the estimated remediation time with you. Our Information Security Team will notify you when the reported vulnerability is resolved and will ask you to confirm that the solution covers the vulnerability adequately. For all qualifying vulnerabilities polypoly will publish a security advisory and ask for details you wish to be included. We will also offer to include reporters of qualifying vulnerabilities on our security acknowledgments page.

If polypoly publishes a security advisory we will notify you accordingly. Afterwards you are welcome to publish your findings.

Acknowledgement and rewards

At this time polypoly is not offering a paid bug bounty program.

However, we will offer to include reporters of qualifying vulnerabilities on our security acknowledgement page and to include their details in our security advisories.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and cease testing and submit a report immediately if you encounter any personal user data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or proprietary information;
  • Testing related to remote code execution (RCE) vulnerabilities must be limited to the following actions only:
    – directly injecting benign commands such as whoami, hostname or ifconfig,
    – uploading a file that outputs the result of a hard-coded benign command;
  • You should only interact with test accounts you own or with explicit permission from the account holder;
  • Report any vulnerability you’ve discovered promptly; and
  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.

When submitting a report, we ask that you:

  • Use only the Official Channels to discuss vulnerability information with us;
  • Provide us a reasonable amount of time (at least 60 days from the initial report) to resolve the issue before you disclose it publicly;
  • Do not engage in extortion;
  • Keep any information about identified weaknesses and exploitable vulnerabilities confidential between yourself and polypoly until the issue has been remediated;
  • Include a full description of the vulnerability being reported including its exploitability and impact;
  • Provide a valid attack scenario;
  • Provide sufficient evidence (e. g. short proof of concept);
  • Provide IP address(s) used during testing; and
  • Provide all information in English please, so that we are able to process them.

Official Channels

Please contact polypoly's Information Security Team at security@polypoly.net to report security issues, providing all relevant information.

Please use our PGP key to encrypt your email messages when reporting security issues.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorised concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorised concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws, and not to intentionally disrupt or compromise polypoly systems and services.

If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

polypoly reserves the right to make the determination of whether a violation of this policy is accidental or in good faith. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of our Official Channels before going any further.

Please note that the Safe Harbor applies only to legal claims under the control of the polypoly organisations participating in this policy, and that the policy does not bind independent third parties.

Last Updated: May 4th, 2021

Acknowledgements

polypoly would like to thank the following individuals and organisations for responsibly disclosing a security vulnerability in a polypoly online service or product in accordance with polypoly's Vulnerability Disclosure Policy.

Illustration: Stardust