Security

Introduction

Greenwork takes security seriously, and we welcome responsible disclosures from security researchers like you.

This document covers:
  • what types of research we welcome you to conduct
  • guidelines for conducting vulnerability discovery activities
  • guidelines for how you should communicate vulnerabilities to us
  • how long we ask you to wait before publicly disclosing vulnerabilities
  • researchers who have helped us via responsible disclosures

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We developed this policy to reflect our values and uphold our responsibility to security researchers who share their expertise with us in good faith.

Questions regarding this policy may be sent to admin@joingreenwork.com . We also invite you to contact us with suggestions for improving this policy.

Types of Research - What’s Out of Scope

We welcome responsible research. We ask that you do not:
  • engage in physical testing of facilities or resources
  • engage in social engineering
  • send unsolicited electronic mail to Greenwork users, including "phishing" messages
  • execute or attempt to execute "Denial of Service" or "Resource Exhaustion" attacks
  • introduce malicious software
  • test in a manner which could degrade the operation of Greenwork systems; or intentionally impair, disrupt, or disable Greenwork systems
  • test third-party applications, websites, or services that integrate with or link to or from Greenwork systems
  • delete, alter, share, retain, or destroy Greenwork data, or render Greenwork data inaccessible
  • use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Greenwork systems, or "pivot" to other Greenwork systems

Guidelines for Conducting Research

Under this policy, "research" means activities in which you:
  • make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
  • only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems
  • do not intentionally compromise the privacy or safety of Greenwork personnel, or any users or third parties
  • do not intentionally compromise the intellectual property or other commercial or financial interests of any Greenwork personnel or entities, or any users or third parties
  • notify us as soon as possible after you discover a real or potential security issue (see next section)

Guidelines for Communication

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), we need you to:
  • stop your test, notify us immediately, and not disclose this data to anyone else
  • send your reports to admin@joingreenwork.com
  • describe the vulnerability, where it was discovered, and the potential impact of exploitation
  • offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)
  • purge any stored Greenwork nonpublic data upon reporting a vulnerability
  • avoid public disclosure unless you have coordinated with us (see next section)

Public Disclosure

Greenwork is committed to timely correction of vulnerabilities. But often, public disclosure of a vulnerability in absence of a readily available fix increases rather than decreases risk. Accordingly, we need you to refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our fix, we need you to coordinate in advance with us.

Acknowledgements

The following researchers have helped us via responsible disclosures:
Some of our valued investors
company
company
company
company
company
company
company
company
company
company
company
company
company
company
company
company


Made with 💚 in San Francisco, CA
Copyright © 2022 Greenwork. All rights reserved.