StrangeBee
Date: June 29, 2022
Version: 1.0
This policy is intended to provide clear guidelines to security researchers conducting vulnerability discovery activities on StrangeBee assets and to convey our preferences in how discovered vulnerabilities should be submitted to us.
This document details systems and research activities covered under this policy, how to submit vulnerability reports, and remediation period we ask security researchers to observe before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities affecting our systems or products.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and will work with you to understand and resolve the issue quickly. StrangeBee will not recommend or pursue legal actions related to your research. Should legal actions be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known to relevant parties.
Under this policy, “research” means activities in which you:
- Notify us, and only us, as soon as possible after you discover a real or potential security issue
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
- Do not submit a high volume of low-quality reports
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
This policy applies to the following applications, systems and services:
- TheHive application
- Cortex application - https://github.com/TheHive-Project/Cortex
- Cortex-Analyzers - https://https://github.com/TheHive-Project/Cortex-Analyzers
- www.strangebee.com
Any other subdomain of strangebee[.]com, *.thehive-cloud[.]io and all customers applications are excluded from this policy.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security[@]strangebee[.]com before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this policy. If you think a particular system excluded from this scope merits testing, please contact us to discuss it first. We will extend the scope of this policy over time.
- Reports of automated scanning tools (SSLlabs.com, Nessus, Qualys …)
- Reports of non*compliance with best practices (TLS misconfiguration, SPF/DKIM/DMARC configuration)
StrangeBee currently does not have a bug or security bounty program, however we are pleased to send some goodies and credit the reporter on our social medias (blog articles, Twitter communications, etc.) when the report complies with the following:
- Every report will be analyzed and must be approved by StrangeBee
- You must be the first person to report the vulnerability
- The StrangeBee vulnerability disclosure policy must be respected. Reports outside of the scope will not be considered
If the report or the way you report/disclose a vulnerability isn’t compliant with our policies, StrangeBee reserves the right to refuse access to rewards or any kind of compensation.
Any irresponsible vulnerability disclosure that may put at risk users of our applications or systems will not be considered for compensation.
If you believe you have found a security vulnerability in our applications, systems or services, report it directly to us. Please send security vulnerabilities by emailing the StrangeBee Security team:
security[@]strangebee[.]com
In your email, please include as much information as possible that can help us better understand and resolve the issue:
- Application and version impacted by the vulnerability
- The type of vulnerability identified
- Special configuration and usage required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Any information (screenshots, source code, scripts, pcap traces, logs...) that can help in reproducing the issue
- Impact of the issue
This will be very useful and help us triage your report more quickly. Additionally, please tell us if you want to be acknowledged and if you already requested CVE(s). Otherwise, we will request the CVE(s).
You can use our PGP key to securely submit your report.
Please do not report security vulnerabilities through public GitHub issues, discussions, pull requests, or community or public channels, including Discord.
We commit to engage with you as openly and as quickly as possible. Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
Questions regarding this policy may be sent to security[@]strangebee[.]com. You can also contact us to suggest improvements to this policy.
Credits: this policy is greatly inspired from the template shared by CISA.gov at https://www.cisa.gov/vulnerability-disclosure-policy-template