Security & Attribution
Security
Introduction
Greenwork takes security seriously, and we welcome responsible disclosures from security researchers like you.
This document covers:
- what types of research we welcome you to conduct
- guidelines for conducting vulnerability discovery activities
- guidelines for how you should communicate vulnerabilities to us
- how long we ask you to wait before publicly disclosing vulnerabilities
- researchers who have helped us via responsible disclosures
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We developed this policy to reflect our values and uphold our responsibility to security researchers who share their expertise with us in good faith.
Questions regarding this policy may be sent to admin@joingreenwork.com . We also invite you to contact us with suggestions for improving this policy.
Types of Research - What’s Out of Scope
We welcome responsible research. We ask that you do not:
- engage in physical testing of facilities or resources
- engage in social engineering
- send unsolicited electronic mail to Greenwork users, including "phishing" messages
- execute or attempt to execute "Denial of Service" or "Resource Exhaustion" attacks
- introduce malicious software
- test in a manner which could degrade the operation of Greenwork systems; or intentionally impair, disrupt, or disable Greenwork systems
- test third-party applications, websites, or services that integrate with or link to or from Greenwork systems
- delete, alter, share, retain, or destroy Greenwork data, or render Greenwork data inaccessible
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Greenwork systems, or "pivot" to other Greenwork systems
Guidelines for Conducting Research
Under this policy, "research" means activities in which you:
- make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems
- do not intentionally compromise the privacy or safety of Greenwork personnel, or any users or third parties
- do not intentionally compromise the intellectual property or other commercial or financial interests of any Greenwork personnel or entities, or any users or third parties
- notify us as soon as possible after you discover a real or potential security issue (see next section)
Guidelines for Communication
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), we need you to:
- stop your test, notify us immediately, and not disclose this data to anyone else
- send your reports to admin@joingreenwork.com
- describe the vulnerability, where it was discovered, and the potential impact of exploitation
- offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)
- purge any stored Greenwork nonpublic data upon reporting a vulnerability
- avoid public disclosure unless you have coordinated with us (see next section)
Public Disclosure
Greenwork is committed to timely correction of vulnerabilities. But often, public disclosure of a vulnerability in absence of a readily available fix increases rather than decreases risk. Accordingly, we need you to refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our fix, we need you to coordinate in advance with us.
Acknowledgements
The following researchers have helped us via responsible disclosures:
Attribution