Full Disclosure Security Policy – Through July 2020
Date: April 17, 2019 — Previous Version
Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within five business days. If a researcher does not receive correspondence from someone at Airship within those five business days, they’re entitled to publicly disclose the security problem. However, we’d much prefer to work on fixing the security problem before the public disclosure.
Airship is responsible for delivering status updates at least once every five business days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.
Airship issues related to email spoofing (SPF / DKIM), TLS ciphers, and web server headers are, for the time being, out of scope.
Purpose
Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.
Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.
In Scope Security Vulnerabilities
| Injection | |
|---|---|
| Bounty | Acknowledgement + T-Shirt |
| Description | SQL Injection, permanent data changes |
| Broken Authentication | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Session hijacking, improper logout, authentication replay |
| Cross-Site Scripting (XSS) | |
| Bounty | Acknowledgement |
| Description | Unexpected alert boxes, forced IFrame loads |
| Insecure Direct Object References | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Bypassing standard user access controls to produce more data than is allowed by current user |
| Security Misconfiguration | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Basic security configurations missing, allowing improper information disclosure |
| Sensitive Data Exposure | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Fundamental encryption in place is bypassed allowing data disclosure |
| Missing Function Level Access Control | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Accessing privileged resources directly without user access control rules being applied |
| Cross-Site Request Forgery (CSRF) | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Allowing state changing behavior without a secret token |
| Invalidated Redirects and Forwards | |
| Bounty | Acknowledgement + T-Shirt |
| Description | Allowing redirection to another URL without first validating the intended target |
| Remote Code Execution (RCE) | |
| Bounty | Case by Case basis |
| Description | Allowing direct access to underlying Operating System or Database with privileged Access |
| Threat | Bounty | Description |
|---|---|---|
| Injection | Acknowledgement + T-Shirt | SQL Injection, permanent data changes |
| Broken Authentication | Acknowledgement + T-Shirt | Session hijacking, improper logout, authentication replay |
| Cross-Site Scripting (XSS) | Acknowledgement | Unexpected alert boxes, forced IFrame loads |
| Insecure Direct Object References | Acknowledgement + T-Shirt | Bypassing standard user access controls to produce more data than is allowed by current user |
| Security Misconfiguration | Acknowledgement + T-Shirt | Basic security configurations missing, allowing improper information disclosure |
| Sensitive Data Exposure | Acknowledgement + T-Shirt | Fundamental encryption in place is bypassed allowing data disclosure |
| Missing Function Level Access Control | Acknowledgement + T-Shirt | Accessing privileged resources directly without user access control rules being applied |
| Cross-Site Request Forgery (CSRF) | Acknowledgement + T-Shirt | Allowing state changing behavior without a secret token |
| Invalidated Redirects and Forwards | Acknowledgement + T-Shirt | Allowing redirection to another URL without first validating the intended target |
| Remote Code Execution (RCE) | Case by Case basis | Allowing direct access to underlying Operating System or Database with privileged Access |
Out of Scope Vulnerabilities
| Threat | |
|---|---|
| Denial of Service | |
| Bounty | NONE |
| Description | Any action that disables or makes Airship resources unavailable |
| Distributed Denial of Service | |
| Bounty | NONE |
| Description | Performance testing, maxing out network bandwidth, or overloading resources with multiple sources |
| Brute Force Attacks | |
| Bounty | NONE |
| Description | Persistent or iterative attacks against Airship production environments |
| Using components with Known Vulnerabilities | |
| Bounty | NONE |
| Description | Reporting 3rd party components or libraries Airship is currently using are out of date or vulnerable |
| Bulk Export of Data | |
| Bounty | NONE |
| Description | Removing data from Airship without our permission in bulk from our systems. |
| Non-Disclosure of Security Bug | |
| Bounty | NONE |
| Description | No bounty or acknowledgement will be issued for disclosing a bug or vulnerability publicly without informing Airship in accordance with this policy |
| Threat | Bounty | Description |
|---|---|---|
| Denial of Service | NONE | Any action that disables or makes Airship resources unavailable |
| Distributed Denial of Service or Rate Limiting | NONE | Performance testing, maxing out network bandwidth, or overloading resources with multiple sources |
| Brute Force Attacks | NONE | Persistent or iterative attacks against Airship production environments |
| Using components with Known Vulnerabilities | NONE | Reporting 3rd party components or libraries Airship is currently using are out of date or vulnerable |
| Bulk Export of Data | NONE | Removing data from Airship without our permission in bulk from our systems. |
| Non-Disclosure of Security Bug | NONE | No bounty or acknowledgement will be issued for disclosing a bug or vulnerability publicly without informing Airship in accordance with this policy |
| DNS, DNSSEC, SPF or DMARC Configuration Suggestions | NONE | Any suggestions involving the current configurations around these systems and protocols will NOT be acknowledged. |
| HTTP, HTTPS or TLS Security Header Configuration | NONE | Any suggestions involving the current configurations around these protocols will NOT be acknowledged. |
Details
This hypothetical workflow illustrates the simple set of guidelines at work behind this policy:
- Researcher discovers a security threat
- Researcher documents the threat
- Researcher sends email to security@urbanairship.com with the details of the security issue
- Within five days, Airship will responds to researcher with status regarding security issue and possible resolutions
- Every five days thereafter, Airship is required to send a status update to the researcher, and to seek feedback on solutions
- When security issue has been satisfactorily resolved, researcher is welcome to publicly disclose finding
PGP Fingerprint
To send secure emails to our security team, please use the following PGP Fingerprint:
| Fingerprint |
|---|
| 0x95bcb1665c76c3a6 |
Questions
This is an open-ended dialogue. If there is anything missing, or if you’re just curious, please send us an email at security@airship.com.
Hall of Fame
The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.
| Category of Personal Information Collected by Airship | Category of Third Parties Information is Disclosed to for a Business Purpose |
|---|---|
| Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, or other similar identifiers. | • Advertising networks • Internet service providers • Data analytics providers • Operating systems and platforms • Service providers |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Note: Some personal information included in this category may overlap with other categories. | |
| Protected classification characteristics under California or federal law Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | |
| Commercial information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | |
| Biometric information Physiological, biological, or behavioral, characteristics (including DNA) that can be used to establish individual identity, or imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template such as a faceprint, a minutiae template, or a voiceprint, can be extracted and keystroke patterns or rhythms, gait patterns, or rhythms, and sleep, health or exercise data that contain identifying information. | |
| Internet or other electronic network activity Browsing history, search history, information on a consumer's interaction with an internet website, application, or advertisement. | |
| Geolocation data Physical location or movements. | |
| Sensory data Audio, electronic, visual, thermal, olfactory, or similar information. | |
| Professional or employment-related information Current or past job history or performance evaluations. | |
| Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g, 34 C.F.R. Part 99)) Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | |
| Inferences drawn from other personal information to create a profile about a consumer Profile reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |