Legal

Full Disclosure Security Policy

Date: August 14 , 2020 — Previous Version

Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.

Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within seven days.

Airship is responsible for delivering status updates at least once every seven days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.

Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.

Responsible Disclosure Guidelines:

  • Share the issue with Airship prior to sharing it publicly or with any other party via email, the only authorized method of communication in which any research or potential findings should be discussed.
  • Allow us reasonable time to respond (seven days to acknowledge and seven day update intervals) to the issue before disclosing it publicly or sharing with any other party
  • Be aware that some services that we use at Airship are not under our control. While we strive to ensure our systems and vendors we use are as secure as possible, we depend on our vendors to ensure their products are up to our security standards. 

Eligibility requirements:

  • All submissions must be new discoveries. Awards will only be provided to the first researcher who submits a particular security vulnerability or bug. Duplicate reports do not receive awards. Airship determines duplicates at its sole discretion and will not share details on prior similar reports. If a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, Airship will also award the second submission. 
  • The researcher must not reside in a country currently under U.S. sanctions.
  • Please provide detailed reports with reproducible steps. The researcher must not cut and paste a tool output into a submission without including additional analysis demonstrating the exploitability of a vulnerability. If the report is a false positive or is not detailed enough to reproduce the issue, the researcher will not be eligible for an award.
  • Multiple vulnerabilities caused by one underlying issue will receive one award.
  • You are 13 years of age or older. If you are at least 13 years old but are considered a minor in your place of residence, you must obtain your parent’s or legal guardian’s permission prior to participating in this program

Acknowledgements for third party security issues impacting Airship are issued at Airship’s discretion (E.g. Inclusion in the Hall of Fame).

Prohibited Testing

Please only test services to which you have authorized access. The following testing is not allowed

  1. Accessing, or attempting to access, accounts or data that does not belong to you. If any Personal Information is accessed, all activity should immediately stop, any downloaded or viewed data should be removed, and immediately contact Airship. This is important for protecting both potentially personal information, and you.
  2. Any attempt to modify, download, or destroy data
  3. Defacing or modifying public facing content on webpages
  4. Disruption or denial-of-service attacks, or any activity that could potentially or actually degrade Airship services or assets
  5. Sending, or attempting to send unsolicited or unauthorized email, spam or other forms of unsolicited messages
  6. Testing any third party services or integration which is not developed or maintained by Airship
  7. Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software
  8. Any testing that would violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data where a) data, assets, or systems reside, b) data traffic is routed, or c) where the researcher is located
  9. Brute-force attacks
  10. The compromise or testing of accounts that you are not authorized to access
  11. Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic. Do not send thousands of requests a minute to our systems.
  12. Physical testing of Airship offices and facilities
  13. Phishing or Social Engineering

NOTE: This is not a comprehensive list of prohibited activities. Items not explicitly mentioned, but may be considered by a reasonable person as not allowed, are subject to this policy requirement. Prohibited activities are determined at Airships sole discretion.

Out of scope issues: 

  1. Pre-auth CSRF on Airship, Accengage, or Apptimize marketing websites
  2. DNS or DNSSEC configuration suggestions
  3. HTTP/HTTPS/TLS security header configurations
  4. Insecure cookie settings for non-sensitive cookies
  5. Previously submitted bugs
  6. Self-XSS
  7. SPF / DKIM / DMARC or other email spoofing issues
  8. TLS ciphers
  9. Resource Exhaustion Attacks
  10. All other web server headers
  11. Extremely low risk vulnerabilities (based on CVSS and/or Airship discretion)

Eligible Domains

The following URLs are in scope for our program:
www.airship.com

www.airship.eu

www.apptimize.eu

www.apptimize.com

analyze.airship.com

analyze-api.airship.com

docs.airship.com

go.airship.com

sftp.airship.com

support-eu.airship.com

support.airship.com

team.airship.com

view.airship.com

accengage.net

device-api.urbanairship.com

combine.urbanairship.com

Submission Process

This hypothetical process is provided as guidance for Airship’s vulnerability disclosure workflow:

  1. Researcher discovers a security threat
  2. Researcher validates the threat and ensures that it is not a false positive
  3. Researcher documents the threat
  4. Researcher sends email to security@airship.com with the details of the security issue and step by step repetiable proof of concept
  5. Within seven days, Airship will responds to researcher with status regarding security issue and possible resolutions
  6. Every seven days thereafter, Airship will provide a status update to the researcher
  7. When security issue has been satisfactorily resolved, researcher is welcome to publicly disclose finding

PGP Fingerprint

To send secure emails to our security team, please use the following PGP Fingerprint: 0x8ECBD357243F4CF0

Hall of Fame

Questions

This is an open-ended dialogue. If there is anything missing, you have a question, or if you’re just curious, please send us an email at security@airship.com.

Hall of Fame

All researchers featured in the Hall of Fame have also received an exclusive Airship Bug Bounty T-Shirt.

The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.

Researcher Country Quarter Finding Date
Prateek Tiwari India Q1 FY'19 Missing Function Level Access Control 2019/04/03
Hassan Shahid Pakistan Q2 FY'19 Sensitive Data Exposure 2019/07/17
Rehan Ali Pakistan Q2 FY'19 Security Misconfiguration 2019/07/18
Yeasir Arafat Bangladesh Q3 FY'19 Broken Authentication 2019/08/09
Abdul Ghaffar Afzal Pakistan Q3 FY'19 Security misconfiguration 2019/10/02
Sammam Qureshi Pakistan Q3 FY'19 Broken Authentication 2019/10/19
Waseem Ullah Siddiqui Pakistan Q3 FY'19 Security Misconfiguration 2019/10/19
Ali Razzaq Pakistan Q4 FY'19 Broken Authentication 2019/11/10
Bilal Abdul Muqeet Pakistan Q4 FY'19 Security Misconfiguration 2019/12/25
Tarun Tandon India Q4 FY'19 Customer Security Vulnerability 2020/01/16
Aman Mahendra India Q1 FY'20 Missing Function Level Access Control 2020/03/08
Dipesh Thakur India Q1 FY'20 Missing Function Level Access Control 2020/04/02
Ananda Dhakal Nepal Q1 FY'20 Insecure Direct Object Reference 2020/04/18
Ritik ChaddhaIndia Q2 FY'20 Security Misconfiguration2020/06/11
Hannan HaseebPakistan Q2 FY'20 Security Misconfiguration2020/06/29
Suraj Satish KharadeIndia Q3 FY'20 Third Party Security Issue2020/08/16
Akash Rajendra PatilIndia Q3 FY'20 Security Misconfiguration2020/08/17
Swapnil MauryaIndia Q3 FY'20 Security Misconfiguration2020/08/21
Vaibhav Ganesh SurvaseIndia Q3 FY'20 Broken Authentication2020/08/13
See for Yourself

Get a Personalized Demo of Our Customer Engagement PlatformGet a Demo