Skip to content

Security: DevCycleHQ/devcycle-docs

.github/SECURITY.md

DevCycle Vulnerability Reporting/Security Bug Program


Reporting a Vulnerability

If you believe that you have found a security vulnerability in any DevCycle project, or have security concerns regarding any DevCycle service, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review these guidelines:

We are a CVE CNA - https://www.cve.org/PartnerInformation/ListofPartners/partner/DevCycle - and as such maintain control over issuance of CVE's for our products.

Rules

  • Do not take advantage of the vulnerability or problem you have discovered, for example by accessing another project/org/feature etc. that you do not have permission to access.
  • Submissions must include written instructions for reproducing the vulnerability. We strongly prefer a PoC (proof of concept) that demonstrates the vulnerability. This helps us to better understand the vulnerability and to evaluate its severity. Submissions without clear reproduction steps or which only include reproduction steps in video form will take longer to process and may be closed without action.
  • We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.
  • If your submission is accepted, we will credit you in this file (attached to all DevCycle repos). If you would like to be credited under a different name or alias, please let us know.
  • Under no circumstances may you publicly disclose a vulnerability without prior written permission from DevCycle.
  • Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess the impact internally; if any.
  • Don’t upload anything malicious, or otherwise go beyond what is necessary to prove a vulnerability exists.
  • Don’t leave systems in a more vulnerable state.
  • Don’t take any action that could impact the performance or availability of any system, including public SDKs.
  • We do not have a bug bounty program at this time, but we may provide rewards at our discretion.

How to Report a Vulnerability

  • If the vulnerability is related to one of our public GitHub repos; we ask that you follow the process to report a vulnerability on GitHub via the built-in vulnerability reporting tool Documentation here

  • We welcome reports to our Hackerone VDP

  • If you are unsure if the vulnerability is related to a public GitHub repo or the DevCycle platform, please submit a report at the form above!

Previous Vulnerabilities Reported

None! Be the first!

There aren’t any published security advisories