Legal
Full Disclosure Security Policy
Date: August 14 , 2020 — Previous Version
Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.
Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within seven days.
Airship is responsible for delivering status updates at least once every seven days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.
Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.
Responsible Disclosure Guidelines:
Eligibility requirements:
Acknowledgements for third party security issues impacting Airship are issued at Airship’s discretion (E.g. Inclusion in the Hall of Fame).
Prohibited Testing
Please only test services to which you have authorized access. The following testing is not allowed:
NOTE: This is not a comprehensive list of prohibited activities. Items not explicitly mentioned, but may be considered by a reasonable person as not allowed, are subject to this policy requirement. Prohibited activities are determined at Airships sole discretion.
Out of scope issues:
Eligible Domains
The following URLs are in scope for our program:
www.airship.com
www.airship.eu
www.apptimize.eu
www.apptimize.com
analyze.airship.com
analyze-api.airship.com
docs.airship.com
go.airship.com
sftp.airship.com
support-eu.airship.com
support.airship.com
team.airship.com
accengage.net
device-api.urbanairship.com
combine.urbanairship.com
Submission Process
This hypothetical process is provided as guidance for Airship’s vulnerability disclosure workflow:
PGP Fingerprint
To send secure emails to our security team, please use the following PGP Fingerprint: 0x8ECBD357243F4CF0
Hall of Fame
Questions
This is an open-ended dialogue. If there is anything missing, you have a question, or if you’re just curious, please send us an email at security@airship.com.
Hall of Fame
Some researchers featured in the Hall of Fame have also received an exclusive Airship Bug Bounty T-Shirt.
The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.
| Researcher | Country | Quarter | Finding | Date |
|---|---|---|---|---|
| Amaranath Moger | India | Q1 FY22 | Security Misconfiguration | 2021/04/02 |
| Indresh Verma | India | Q1 FY22 | SSRF | 2021/04/14 |
| Yeshwanth | India | Q1 FY22 | Cross-Site Scripting (XSS) - DOM | 2021/04/20 |
| Darshan Jogi | Q2 FY22 | SSRF | 2021/05/08 | |
| Shay Ben Tikva | Israel | Q2 FY22 | Missing Function Level Access Control | 2021/05/15 |
| Kinshuk Kumar | India | Q2 FY22 | Security Misconfiguration | 2021/05/22 |
| Muskan Ravi Suryawanshi | India | Q2 FY22 | Security Misconfiguration | 2021/05/22 |
| k21 | China | Q2 FY22 | Missing Function Level Access Control | 2021/05/26 |
| Bijay Silwal | Nepal | Q2 FY22 | SSTI | 2021/05/29 |
| Abhishek Kumar | India | Q2 FY22 | Security Misconfiguration | 2021/06/02 |
| Bismaya Kumar Panda | India | Q2 FY22 | Security Misconfiguration | 2021/06/03 |
| melbadry9 | Egypt | Q2 FY22 | Security Misconfiguration | 2021/06/08 |
| Dnyanesh Gawande | India | Q2 FY22 | Security Misconfiguration | 2021/06/21 |
| Ankit Kumar | India | Q2 FY22 | Security Misconfiguration | 2021/06/02 |
| Munimadugu Somasekhar | India | Q2 FY22 | Security Misconfiguration | 2021/07/05 |
| Jefferson Gonzales (Gonz) | Philippines | Q2 FY22 | Security Misconfiguration | 2021/07/30 |
| Jefferson Gonzales (Gonz) | Philippines | Q2 FY22 | Security Misconfiguration | 2021/07/28 |
| Shripad Shriniwas Raccha | India | Q2 FY22 | Security Misconfiguration | 2021/08/14 |
| Mohamed Althaf | India | Q2 FY22 | Security Misconfiguration | 2021/08/19 |
| Jefferson Gonzales (Gonz) | Philippines | Q2 FY22 | Security Misconfiguration | 2021/08/30 |
| Hamidjon Qodirov | Russia | Q2 FY22 | Security Misconfiguration | 2021/09/01 |
| Bharat[mrnoob] | India | Q2 FY22 | Security Misconfiguration | 2021/09/20 |
| Simbba, Chetanya Sharma | India | Q2 FY22 | Security Misconfiguration | 2021/09/26 |
| Bharat (mrnoob), sundar lal baror | India | Q2 FY22 | Unvalidated Redirect (3rd-Party) | 2021/10/24 |
| Abhinav Kumar | India | Q2 FY23 | Security Misconfiguration | 2022/04/16 |
| Hammad Ahmed | Pakistan | Q2 FY23 | Cross Site Scripting (XSS) | 2022/04/22 |
| Orion Joshi | Nepal | Q4 FY23 | Security Misconfiguration | 2023/01/31 |
| Ramesh Yadav | India | Q1 FY24 | Security Misconfiguration | 2023/02/10 |
| Siddesha GC | India | Q1 FY24 | Security Misconfiguration | 2023/02/24 |
| Aakash Tayal | India | Q1 FY24 | Security Misconfiguration | 2023/03/24 |
