漏洞报告准则

报告漏洞

将 Crowdin 中含有的漏洞细节通过邮件发送到 support@crowdin.com。 请提供有关此漏洞的全部细节,以便 Crowdin 安全小组验证和复现这个安全问题。

名人堂

我们代表数以千计的用户感谢以下研究人员帮助 Crowdin 变得更加安全。 查看名人堂

我们需要什么

在提交问题时,请提供技术说明,以便我们评估问题的可利用性及其影响。

  • 提供复现问题的步骤,包括所涉及的任何 URL 地址及代码。
  • 如果您正在报告一个跨站脚本攻击(XSS),您的漏洞利用至少需要在浏览器中产生弹窗警报。 如果 XSS 攻击显示了用户的认证 cookie,效果会更好。
  • 对于跨站请求伪造攻击(CSRF),请使用适当的第三方导致登录用户采取某项行动的案例。
  • 对于 SQL 注入攻击,我们需要漏洞利用可以提取数据库中的数据,而不仅仅生成错误信息。
  • HTTP 请求/响应捕获或仅仅是网络抓包对我们也非常有用。
  • 请避免发送不是通往 Crowdin 的网站链接,或在 PDF / DOC / EXE 文件中报告问题。 通过图像文件报告问题是允许的。 请确保该错误可以被当前登录用户以外的人利用(例如 Self 型跨站脚本攻击)。

我们不需要什么

  • 描述性的错误信息(例如应用程序或服务器错误)。
  • HTTP 404 错误码/页面及其他非 HTTP 200 错误码页面。
  • Banner disclosure on common/public services.
  • 已知的公开文件或目录(如 robots.txt)。
  • Clickjacking and issues only exploitable through clickjacking.
  • 匿名用户可以使用的表单(如联系表)上的跨站请求伪造攻击。
  • 注销伪造跨站请求攻击(注销 CSRF)。
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • 缺少 Secure 及 HTTPOnly cookie 标记。
  • Lack of Security Speedbump when leaving the site.
  • 弱验证码或验证码绕过。
  • 通过登录页错误信息进行用户名枚举。
  • 通过“忘记密码”页面错误信息进行用户名枚举。
  • Login or Forgot Password page brute force and account lockout not enforced.
  • 启用 OPTIONS / TRACE HTTP 方法。
  • BEAST、BREACH、重协商等 SSL 攻击。
  • 没有启用 SSL 前向安全性。
  • 不安全的 SSL 密码套件。
  • The Anti-MIME-Sniffing header X-Content-Type-Options.
  • 缺少 HTTP 安全标头。

漏洞报告约定

请在测试或报告漏洞前回顾以下条款。 Crowdin 保证,研究人员只要遵循这些规则,就不会对渗透或试图渗透我们系统的行为采取法律行动。

Crowdin 不允许以下类型的安全研究

虽然我们鼓励您发现并向我们负责任的报告任何漏洞,但以下行为是明确禁止的:

  • 执行可能对 Crowdin 或其用户产生不利影响的操作。
  • 访问或试图访问不属于您的数据或信息。
  • 摧毁或损坏,或试图摧毁或损坏不属于您的数据或信息。
  • 对 Crowdin 人员、财产或数据中心进行任何实际或电子攻击。
  • 对任何 Crowdin 服务台、员工及合约者实行社会工程学攻击。
  • 使用非测试账户对服务实行脆弱性测试。
  • 为寻找漏洞而违反任何法律或协议。

Crowdin 安全小组的承诺

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Crowdin security team and associated development organizations will use reasonable efforts to:

  • 及时作出响应,确认收到了您的脆弱性报告。
  • 提供处理脆弱性报告的估计时限。
  • 通知您漏洞修复的时间。
  • 我们高兴地感谢每个提交脆弱性报告的研究人员,他们帮助我们改善在 Crowdin 的总体安全状况。

Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.

We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.

奖励

We maintain flexibility with our reward system; rewards are based on severity, impact, and report quality. For example, we can provide you with a coupon to get Crowdin Swag. Depending on what you discover, you may go onto the Crowdin Hall of Fame. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.

We do have specific things we are (and are not) looking for - so check What are we looking for.

If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be possible.

If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything’s been already previously found, but trust us, we want to be fair.

A reward will not be provided if the finding becomes known by anyone else than you or us, in any way, before it is fixed.

You can always keep tracking of how your issue is progressing. Contact Crowdin Security team for this: support@crowdin.com