Skip to content

Commit c64440f

Browse files
committed
docs: vuln reporting tweaks
1 parent 4c5e465 commit c64440f

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

templates/about.html

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -491,12 +491,12 @@
491491

492492
<li id="vulnerability" class="question">I found a security vulnerability!</li>
493493
<li class="answer">
494-
<p>Oof. Thank you for reporting it! Please send details to <a href="mailto:security@brid.gy">security@brid.gy</a>. We may provide monetary awards for reports of significant vulnerabilities, eg reading or modifying stored access tokens, <em>if</em> you follow these rules:</p>
494+
<p>Oof. Thank you for reporting it! Please send details to <a href="mailto:security@brid.gy">security@brid.gy</a>, subject to these criteria:</p>
495495
<ul>
496496
<li>Vulnerabilities must be in the application itself, not unrelated services like email (eg SPF/DKIM/DMARC).</li>
497-
<li>Out of scope: rate limiting, XSS/CSRF attacks (Bridgy has no authenticated sessions), <code>/admin/*</code> pages.
497+
<li>Out of scope: rate limiting, XSS/CSRF attacks (Bridgy has no persistent authenticated sessions), <code>/admin/*</code> pages.
498498
<li>User data is intentionally public. That's not a vulnerability.</li>
499-
<li>No automated fuzzing, DoSes, or other high volume traffic. We block this traffic, and it will disqualify you from any possible award.</li>
499+
<li>No automated fuzzing, DoSes, or other high volume traffic. We block this traffic.</li>
500500
</ul>
501501
<p>Otherwise, <a href="https://github.com/snarfed/bridgy/">the code is open source</a>, feel free to try to break in, let us know if you succeed!</p>
502502
</li>

0 commit comments

Comments
 (0)