Legal

Full Disclosure Security Policy

Date: August 14 , 2020 — Previous Version

Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.

Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within seven days.

Airship is responsible for delivering status updates at least once every seven days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.

Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.

Responsible Disclosure Guidelines:

Eligibility requirements:

Acknowledgements for third party security issues impacting Airship are issued at Airship’s discretion (E.g. Inclusion in the Hall of Fame).

Prohibited Testing

Please only test services to which you have authorized access. The following testing is not allowed

NOTE: This is not a comprehensive list of prohibited activities. Items not explicitly mentioned, but may be considered by a reasonable person as not allowed, are subject to this policy requirement. Prohibited activities are determined at Airships sole discretion.

Out of scope issues: 

Eligible Domains

The following URLs are in scope for our program:
www.airship.com

www.airship.eu

www.apptimize.eu

www.apptimize.com

analyze.airship.com

analyze-api.airship.com

docs.airship.com

go.airship.com

sftp.airship.com

support-eu.airship.com

support.airship.com

team.airship.com

accengage.net

device-api.urbanairship.com

combine.urbanairship.com

Submission Process

This hypothetical process is provided as guidance for Airship’s vulnerability disclosure workflow:

PGP Fingerprint

To send secure emails to our security team, please use the following PGP Fingerprint: 0x8ECBD357243F4CF0

Hall of Fame

Questions

This is an open-ended dialogue. If there is anything missing, you have a question, or if you’re just curious, please send us an email at security@airship.com.

Hall of Fame

Some researchers featured in the Hall of Fame have also received an exclusive Airship Bug Bounty T-Shirt.

The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.

ResearcherCountryQuarterFindingDate
Amaranath MogerIndiaQ1 FY22Security Misconfiguration 2021/04/02
Indresh VermaIndiaQ1 FY22SSRF2021/04/14
YeshwanthIndiaQ1 FY22Cross-Site Scripting (XSS) - DOM2021/04/20
Darshan JogiQ2 FY22SSRF2021/05/08
Shay Ben TikvaIsraelQ2 FY22Missing Function Level Access Control 2021/05/15
Kinshuk KumarIndiaQ2 FY22Security Misconfiguration2021/05/22
Muskan Ravi SuryawanshiIndiaQ2 FY22Security Misconfiguration2021/05/22
k21ChinaQ2 FY22Missing Function Level Access Control2021/05/26
Bijay SilwalNepal Q2 FY22SSTI2021/05/29
Abhishek KumarIndiaQ2 FY22 Security Misconfiguration 2021/06/02
Bismaya Kumar Panda IndiaQ2 FY22 Security Misconfiguration 2021/06/03
melbadry9 EgyptQ2 FY22 Security Misconfiguration 2021/06/08
Dnyanesh Gawande IndiaQ2 FY22 Security Misconfiguration 2021/06/21
Ankit KumarIndiaQ2 FY22 Security Misconfiguration 2021/06/02
Munimadugu Somasekhar IndiaQ2 FY22 Security Misconfiguration2021/07/05
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/07/30
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/07/28
Shripad Shriniwas RacchaIndiaQ2 FY22 Security Misconfiguration2021/08/14
Mohamed AlthafIndiaQ2 FY22 Security Misconfiguration2021/08/19
Jefferson Gonzales (Gonz)PhilippinesQ2 FY22 Security Misconfiguration2021/08/30
Hamidjon Qodirov RussiaQ2 FY22 Security Misconfiguration2021/09/01
Bharat[mrnoob]IndiaQ2 FY22 Security Misconfiguration2021/09/20
Simbba, Chetanya SharmaIndiaQ2 FY22 Security Misconfiguration2021/09/26
Bharat (mrnoob), sundar lal baror
IndiaQ2 FY22Unvalidated Redirect (3rd-Party)2021/10/24
Abhinav KumarIndiaQ2 FY23Security Misconfiguration2022/04/16
Hammad AhmedPakistanQ2 FY23Cross Site Scripting (XSS)2022/04/22
Orion JoshiNepalQ4 FY23Security Misconfiguration2023/01/31
Ramesh YadavIndiaQ1 FY24Security Misconfiguration2023/02/10
Siddesha GCIndiaQ1 FY24Security Misconfiguration2023/02/24
Aakash TayalIndiaQ1 FY24Security Misconfiguration2023/03/24

You will receive web notifications as new events and content become available during MAX Month (no more than one alert per day). Click the button below and then hit "Allow" on the browser permission to opt in. You can opt out at any time.

Opt In Now