|
| 1 | +# Security |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | +Based on [https://supabase.com/.well-known/security.txt](https://supabase.com/.well-known/security.txt) |
| 6 | + |
| 7 | +At Midday, we consider the security of our systems a top priority. But no matter |
| 8 | +how much effort we put into system security, there can still be vulnerabilities |
| 9 | +present. |
| 10 | + |
| 11 | +If you discover a vulnerability, we would like to know about it so we can take |
| 12 | +steps to address it as quickly as possible. We would like to ask you to help us |
| 13 | +better protect our clients and our systems. |
| 14 | + |
| 15 | +## Out of scope vulnerabilities |
| 16 | + |
| 17 | +- Clickjacking on pages with no sensitive actions. |
| 18 | +- Unauthenticated/logout/login CSRF. |
| 19 | +- Attacks requiring MITM or physical access to a user's device. |
| 20 | +- Any activity that could lead to the disruption of our service (DoS). |
| 21 | +- Content spoofing and text injection issues without showing an attack |
| 22 | + vector/without being able to modify HTML/CSS. |
| 23 | +- Email spoofing |
| 24 | +- Missing DNSSEC, CAA, CSP headers |
| 25 | +- Lack of Secure or HTTP only flag on non-sensitive cookies |
| 26 | +- Deadlinks |
| 27 | + |
| 28 | +## Please do the following |
| 29 | + |
| 30 | +- E-mail your findings to [[email protected]](mailto:[email protected]). |
| 31 | +- Do not run automated scanners on our infrastructure or dashboard. If you wish |
| 32 | + to do this, contact us and we will set up a sandbox for you. |
| 33 | +- Do not take advantage of the vulnerability or problem you have discovered, |
| 34 | + for example by downloading more data than necessary to demonstrate the |
| 35 | + vulnerability or deleting or modifying other people's data, |
| 36 | +- Do not reveal the problem to others until it has been resolved, |
| 37 | +- Do not use attacks on physical security, social engineering, distributed |
| 38 | + denial of service, spam or applications of third parties, |
| 39 | +- Do provide sufficient information to reproduce the problem, so we will be |
| 40 | + able to resolve it as quickly as possible. Usually, the IP address or the URL |
| 41 | + of the affected system and a description of the vulnerability will be |
| 42 | + sufficient, but complex vulnerabilities may require further explanation. |
| 43 | + |
| 44 | +## What we promise |
| 45 | + |
| 46 | +- We will respond to your report within 3 business days with our evaluation of |
| 47 | + the report and an expected resolution date, |
| 48 | +- If you have followed the instructions above, we will not take any legal |
| 49 | + action against you in regard to the report, |
| 50 | +- We will handle your report with strict confidentiality, and not pass on your |
| 51 | + personal details to third parties without your permission, |
| 52 | +- We will keep you informed of the progress towards resolving the problem, |
| 53 | +- In the public information concerning the problem reported, we will give your |
| 54 | + name as the discoverer of the problem (unless you desire otherwise), and |
| 55 | +- We strive to resolve all problems as quickly as possible, and we would like |
| 56 | + to play an active role in the ultimate publication on the problem after it |
| 57 | + is resolved. |
0 commit comments