Skip to content
This repository was archived by the owner on Mar 7, 2025. It is now read-only.

Security: hack4impact/flask-base

Security

docs/SECURITY.md

Security Policy

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses.

If you believe you've found a security bug in any of our projects, we'll be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

We will investigate legitimate reports and make every effort to quickly resolve any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the current policy and more generally with the following guideline: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

Eligibility and Responsible Disclosure

Only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability.
  • Any vulnerability found must be reported no later than 72 hours after discovery.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Open Collective or one of its contractor.
  • You must wait for the issue to be fully fixed before exposing it publicly.
  • There must be proof that, given realistic processing power and time, an exploit is possible.

Scope

We won't accept reports made by testing on any of our production servers.

You must ideally do all the testing locally using the appropriate repositories for any of our projects.

Contact

  • Mail: security@hack4impact.org
  • Preferred languages: English
  • If your issue is critical, you can use the PGP key below to encrypt your message
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGi2SocBEADZAcwjmFgb7Khe1Vb1FIfWQ/Pu8/2CT49TTFs3avaKlP/82KlV
ZXdOVUofVQe5WnJM7KHwuEDLT1Z4Jfqe9jIZ1cQQcrBI4XPX2Cm0yfFgeUm/40qi
544zrOx9c1AgqXHqY6/9aHVvgbjLJ0IPlSGJZirnvHf7ebAvlvMSVL5POQqjtjPg
IMdsE0zIw3P07ovy1Pe13aal5lFCrMbRlHdsiLa7RntklfxFbadC/C/OwlnKUp2V
BwpVNpZkB+XmPM7kKLR3kwum/VPPNDA5HsmP9vj7tS83UYMZBP+7V7Mk9nf7XjPt
WBMfhZJL09AAvDbqz0Roimx9jA0PQc4t4rw1uxOVhZNGhyHbevaq+NLxPCade9h9
UG1jIJpXH75V+iF6nTrM6xV30kfy5jmObDt7E5sW6scZswjN8Pp4i8g3kjrwkveq
rLtomXpXCA/hSls9ZdHxJX6jjnCbsAOjm+qk7rVE9UkpDwtQMjnOZpZkhCSd/h7n
7z0cChkLpPEl4wrgvXqHn1rVTU8MuiTiMKl57JjkZYTg6qffGWHkDEoQt1koKlGp
k/mtXbDSDjAVJ7v68SlE17G9JrfRqHSzTedgLJXAyd5wDJhDjLTddksH9l1RpqAM
gLnAJK51A3umaG5XncYbnia5WPfFuRhY0FnVhdNO6g5ZMjVf+/dWVPQHCwARAQAB
tG5IYWNrNEltcGFjdCAoVGhlIGtleS1wYWlyIGZvciBzZWN1cml0eSBjb21tdW5p
Y2F0aW9ucyBpbiBIYWNrNEltcGFjdCByZXBvc2l0b3JpZXMuKSA8c2VjdXJpdHlA
aGFjazRpbXBhY3Qub3JnPokCVwQTAQgAQRYhBIUbbepCkFpRRhvp3HFBBcakxLkS
BQJotkqHAhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHFB
BcakxLkShDIQAM8m/YeSDG26g8ARI+G/chGI1ayM9YoZFL+dH5vKtVqdHc5NnJWr
0gzKINWWCubDTJb6tuZVDDMhEzX9HYOZ4cM8ur38V7TQQrVi32UA1zgJDhTRFu2f
vEPzxZfgbISbDiwFpgdILLtMD0j3KLtK2PmByyI9xtxbdHqjDXGQJQjwdL5avfUc
UPJS88bKy41o+CvvkXsMv/auazMLtbJLdkqhuq2SyUoDzsCUevn29R3uIbfOVaCd
wRGRVgcfGIun010lv/NOnuSIMnrEGbfcxPMRVgg6sK+xzVw8qiEJqqh9huwTdumc
pSsLkBQETz+gYVNzv0D6Bp5DOIG2NxX4gotsonGc0zGXtoE5DE6S5roNPsfivKWU
jSq7C2YAtpgPp+czfwrFDskOwDWA1ySKzk0peu3DUJI9SWrMqtMQIZYhWoZC0NHi
vmjlt6OVgvSL+blART5MPT6Rl9X2ntpzkZzGAP9W84fcrAaYuB8+tSXYxVaj5Jrs
7UPAcbz/RKgzTqs2N5sM6UzYpKrJ86uvlNndCapqE4fqXpoR6mctYIufyQI8rnBk
3GBdaNhYN6aQ+cKFdG07UPMw74zHsryT9vL7xMHL/KBe0dWF9EWUkNatj/VnM9bA
jcIKYaMzZel+OVBrLdCMdzFQ8ZJAFIDy+F6u3ele8ynO280Ydb8Jc8SmuQINBGi2
SocBEAC64FvmwiqLqFsAk4uJaFr6+idyYVa4/fPX1o1WqJFCkUuFqkZO0PMR6TNM
vpseWvr2Mz9+YCs73LktmOFuZ1P8MgZCOpCIjw6eb4g1dBMKZDbBWFs0nN1cWWXT
H4x+MPB1S9/5wMGRZ6Fj+GyfoWyjolnaGHt76IxgxU3gEwNtmVkjdoEAKIp2Pm8n
EJ3C4LHtt7r2WeWWnQSUQmG/hLrq8ds9lbWq5Amm6J2Kn+mqgP02krkjEAf3L3+S
/ALoHCZUaZOGIX3TZXysqM0nfeRqaXmI9i7TMFc25gNYnIhKbs3af8pqYW02KwLh
G2H0+qX8cHqyYtO93xddP/teprthImE9qRLwPYQ+JEC2gwczoe2VQEmQxySkLV64
uXR4qp/7ZMCTuO7amibSOwcJFF66yLNjDruImH45TYB7HkWMe9cCWTyPchPeh74Q
G60Qc4XTClGGtwd1bKS2rY20RHccquAwH4rNHdYnrC3XshVJeu/EnEUsJlfhtll0
HcZ7pk0Octl4vF9LAigNtscQLeUXdxUsfe9ACjAl6Z4NjuNalIIHmaWCLGjqk0n9
oV/kfu6fezR6oBNLwTwEtnJ4EnnSHunuEYCUCOa0x2CVp2kR7zDXnYEZnkTGE2z1
1eH6RRvmzKdoxXWnx3AJSHGNr2z959HHVd+FAcCzhP8qIx5CDwARAQABiQI8BBgB
CAAmFiEEhRtt6kKQWlFGG+nccUEFxqTEuRIFAmi2SocCGwwFCQPCZwAACgkQcUEF
xqTEuRIzCg/7BwInLzyOiNuBNPleeo/EL8iPUyDqW/2aDLTWcvGNI6fTJfdNAnJp
Qbyy4N3i8+SLfNYua57cz51A8j0ndK5K8nsUSGHCi8jXi1rbVADruKca9WOQr0yf
VkxTbNfUTeJ2XNTvcthOrOibepmJJ+GGUTzy6+NEVOpPrkrkhvwFI27tEzuI4LyO
CZfhDhkJvtXbeY/ezMSF8FbdBI7wLa1v4zAGLt9fDzU6IaEYa4izNtBF6rBkw6Vc
fWuq5v9JJBNJbAT/gPhB9twXDUbr+LwGTtnMmNQSsUohVORsxksDrQCzvdN/YNVH
PYzaiJ/F09lEC2Hd8fUsfo3FxjUefjyzBXJw3Zyhk+GuS8cNVCduWbMql8nhyyvc
Nc/clpLHOVjWwxDxZYpUOMUCjWklGee+6fI/B6p8iHEp4LNq1C0hPDG5cGwUKX6y
zeB08LpATBrYoB1d1dVdxb2ytTvKLVTRUs1gS8ejawuA/lwlpnRjshH+kyaBOcjk
gOTW4/nCb7jvrYEbpcmYNX6byvIMGruyudOh9c0ckqYjZIUhqIvpokT4/fDtcnGC
VUKsoGpvHV9wtxW9rbYnf78KNkSXakvyVLNV89NxRZnNv3rsmmXlT/eNQImlbUqB
RHNiDMasjiV9YcdZO3WU8O2GEt4fAcPt1flOh0hnVQHznS0QgjnScVU=
=Vh3v
-----END PGP PUBLIC KEY BLOCK-----

Rewards

The monetary rewards will depend upon the critical nature of the vulnerability reported.

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (JS, SQL, PHP, ...)
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Open redirect
  • Broken authentication & session management
  • Insecure direct object references
  • CORS with real security impact
  • Horizontal and vertical privilege escalation
  • SQL injections

Non-qualifying vulnerabilities

  • "Self" XSS
  • Rate Limiting
  • Text/HTML Injection
  • Social engineering
  • Homograph Attack
  • Missing cookie flags
  • Information disclosure
  • SSL/TLS best practices
  • Mixed content warnings
  • Denial of Service attacks
  • Missing security headers
  • Clickjacking/UI redressing
  • Software version disclosure
  • Stack traces or path disclosure
  • Missing autocomplete attributes
  • Physical or social engineering attempts
  • Recently disclosed 0-day vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Our policies on presence/absence of SPF/DMARC records
  • Any hypothetical flaw or best practices without exploitable POC
  • Issues that require physical access to a victim’s computer/device
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Extension manipulation without any evidence of vulnerability (Attachments)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Any issues regarding single session features/management
  • RTLO and related issues

Process

  • Reporter submit a report. To make sure that you don't lose too much time preparing a nice report if the issue is already known from us, you can submit just a small summary without technical details and proofs of concepts.
  • Hack4Impact Team...
    • Confirms that the report has been received. If it's an unknown issue, we may ask you for more details.
    • Tries to confirm/reproduce the issue.
    • Discuss results and possible impact to determine the score (low/medium/high/critical) and bounty amount.
  • Reporter is rewarded with a bounty at this stage (if applicable).
  • Team works on a fix, verifies it an pushes it.
  • Team confirms that the issue has been patched and may ask reporter to check the fix.
  • We write a postmortem to document the issue. From this point it is safe for reporter to go public about the issue.

How do we calculate the severity score

Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay. We will rely on CVSS3 as well as internal criteria to score the vulnerabilities.

Things that we take into account to adjust the score for vulnerabilities:

  • Everything related to authentication
  • Allow to take control or leak information about payment methods or connected accounts
  • Compromise the integrity or historicity of our transactions ledger
  • Compromise the permission system

Attribution

This security policy is adapted from Open Collective's security policy

There aren’t any published security advisories