Trust Center

Full Disclosure Security Policy – Through July 2020

Date: April 17, 2019 — Previous Version

Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within five business days. If a researcher does not receive correspondence from someone at Airship within those five business days, they’re entitled to publicly disclose the security problem. However, we’d much prefer to work on fixing the security problem before the public disclosure.

Airship is responsible for delivering status updates at least once every five business days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.

Airship issues related to email spoofing (SPF / DKIM), TLS ciphers, and web server headers are, for the time being, out of scope.

Purpose

Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.

Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.

In Scope Security Vulnerabilities

Injection
Bounty Acknowledgement + T-Shirt
Description SQL Injection, permanent data changes
Broken Authentication
Bounty Acknowledgement + T-Shirt
Description Session hijacking, improper logout, authentication replay
Cross-Site Scripting (XSS)
Bounty Acknowledgement
Description Unexpected alert boxes, forced IFrame loads
Insecure Direct Object References
Bounty Acknowledgement + T-Shirt
Description Bypassing standard user access controls to produce more data than is allowed by current user
Security Misconfiguration
Bounty Acknowledgement + T-Shirt
Description Basic security configurations missing, allowing improper information disclosure
Sensitive Data Exposure
Bounty Acknowledgement + T-Shirt
Description Fundamental encryption in place is bypassed allowing data disclosure
Missing Function Level Access Control
Bounty Acknowledgement + T-Shirt
Description Accessing privileged resources directly without user access control rules being applied
Cross-Site Request Forgery (CSRF)
Bounty Acknowledgement + T-Shirt
Description Allowing state changing behavior without a secret token
Invalidated Redirects and Forwards
Bounty Acknowledgement + T-Shirt
Description Allowing redirection to another URL without first validating the intended target
Remote Code Execution (RCE)
Bounty Case by Case basis
Description Allowing direct access to underlying Operating System or Database with privileged Access
Threat Bounty Description
Injection Acknowledgement + T-Shirt SQL Injection, permanent data changes
Broken Authentication Acknowledgement + T-Shirt Session hijacking, improper logout, authentication replay
Cross-Site Scripting (XSS) Acknowledgement Unexpected alert boxes, forced IFrame loads
Insecure Direct Object References Acknowledgement + T-Shirt Bypassing standard user access controls to produce more data than is allowed by current user
Security Misconfiguration Acknowledgement + T-Shirt Basic security configurations missing, allowing improper information disclosure
Sensitive Data Exposure Acknowledgement + T-Shirt Fundamental encryption in place is bypassed allowing data disclosure
Missing Function Level Access Control Acknowledgement + T-Shirt Accessing privileged resources directly without user access control rules being applied
Cross-Site Request Forgery (CSRF) Acknowledgement + T-Shirt Allowing state changing behavior without a secret token
Invalidated Redirects and Forwards Acknowledgement + T-Shirt Allowing redirection to another URL without first validating the intended target
Remote Code Execution (RCE) Case by Case basis Allowing direct access to underlying Operating System or Database with privileged Access

Out of Scope Vulnerabilities

Threat
Denial of Service
Bounty NONE
Description Any action that disables or makes Airship resources unavailable
Distributed Denial of Service
Bounty NONE
Description Performance testing, maxing out network bandwidth, or overloading resources with multiple sources
Brute Force Attacks
Bounty NONE
Description Persistent or iterative attacks against Airship production environments
Using components with Known Vulnerabilities
Bounty NONE
Description Reporting 3rd party components or libraries Airship is currently using are out of date or vulnerable
Bulk Export of Data
Bounty NONE
Description Removing data from Airship without our permission in bulk from our systems.
Non-Disclosure of Security Bug
Bounty NONE
Description No bounty or acknowledgement will be issued for disclosing a bug or vulnerability publicly without informing Airship in accordance with this policy
Threat Bounty Description
Denial of Service NONE Any action that disables or makes Airship resources unavailable
Distributed Denial of Service NONE Performance testing, maxing out network bandwidth, or overloading resources with multiple sources
Brute Force Attacks NONE Persistent or iterative attacks against Airship production environments
Using components with Known Vulnerabilities NONE Reporting 3rd party components or libraries Airship is currently using are out of date or vulnerable
Bulk Export of Data NONE Removing data from Airship without our permission in bulk from our systems.
Non-Disclosure of Security Bug NONE No bounty or acknowledgement will be issued for disclosing a bug or vulnerability publicly without informing Airship in accordance with this policy

Details

This hypothetical workflow illustrates the simple set of guidelines at work behind this policy:

  • Researcher discovers a security threat
  • Researcher documents the threat
  • Researcher sends email to security@urbanairship.com with the details of the security issue
  • Within five days, Airship will responds to researcher with status regarding security issue and possible resolutions
  • Every five days thereafter, Airship is required to send a status update to the researcher, and to seek feedback on solutions
  • When security issue has been satisfactorily resolved, researcher is welcome to publicly disclose finding

PGP Fingerprint

To send secure emails to our security team, please use the following PGP Fingerprint:

Fingerprint
0x95bcb1665c76c3a6

Questions

This is an open-ended dialogue. If there is anything missing, or if you’re just curious, please send us an email at security@airship.com.

Hall of Fame

The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.

ResearcherCountryQuarterFindingDate
Amaranath MogerIndiaQ1 FY22Security Misconfiguration 2021/04/02
Indresh VermaIndiaQ1 FY22SSRF2021/04/14
YeshwanthIndiaQ1 FY22Cross-Site Scripting (XSS) - DOM2021/04/20
Darshan JogiQ2 FY22SSRF2021/05/08
Shay Ben TikvaIsraelQ2 FY22Missing Function Level Access Control 2021/05/15
Kinshuk KumarIndiaQ2 FY22Security Misconfiguration2021/05/22
Muskan Ravi SuryawanshiIndiaQ2 FY22Security Misconfiguration2021/05/22
k21ChinaQ2 FY22Missing Function Level Access Control2021/05/26
Bijay SilwalNepal Q2 FY22SSTI2021/05/29
Abhishek KumarIndiaQ2 FY22 Security Misconfiguration 2021/06/02
Bismaya Kumar Panda IndiaQ2 FY22 Security Misconfiguration 2021/06/03
melbadry9 EgyptQ2 FY22 Security Misconfiguration 2021/06/08
Dnyanesh Gawande IndiaQ2 FY22 Security Misconfiguration 2021/06/21
Ankit KumarIndiaQ2 FY22 Security Misconfiguration 2021/06/02
Munimadugu Somasekhar IndiaQ2 FY22 Security Misconfiguration2021/07/05
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/07/30
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/07/28
Shripad Shriniwas RacchaIndiaQ2 FY22 Security Misconfiguration2021/08/14
Mohamed AlthafIndiaQ2 FY22 Security Misconfiguration2021/08/19
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/08/30
Hamidjon Qodirov RussiaQ2 FY22 Security Misconfiguration2021/09/01
Bharat[mrnoob]IndiaQ2 FY22 Security Misconfiguration2021/09/20
Simbba, Chetanya SharmaIndiaQ2 FY22 Security Misconfiguration2021/09/26
Bharat (mrnoob), sundar lal baror
IndiaQ2 FY22Unvalidated Redirect (3rd-Party)2021/10/24
Abhinav KumarIndiaQ2 FY23Security Misconfiguration2022/04/16
Hammad AhmedPakistanQ2 FY23Cross Site Scripting (XSS)2022/04/22

You will receive web notifications as new events and content become available during MAX Month (no more than one alert per day). Click the button below and then hit "Allow" on the browser permission to opt in. You can opt out at any time.

Opt In Now