Security Policy 🔐 | Feature Request

[tcbutler320]

Security Policy 🔐 | Feature Request

With the recent development of the Tribe features in dev.monketype, I think it would be a good idea to draft a security policy so that users and researchers can responsibly disclose security concerns. I feel pretty good about locking down the previous XSS from #1476 and #1348, but moving forward it might be advantageous to move vulnerability disclosures away from Github issues, and into a separate policy.

Suggestion

I like the security.txt proposal from edoverflow. A basic example is below. The security policy would be located in a txt file at the resource https://monkeytype.com/.well-known/security.txt. If you want to keep this on discord and not have disclosures by mail, you could switch the contact to be a private message at https://www.discord.gg/monkeytype/.

Contact: mailto:[email protected]
Expires: 2022-05-29T15:12:00.000Z
Encryption: https://monkeytype.com/pgp
Preferred-Languages: en
Canonical: https://monkeytype.com/.well-known/security.txt
Policy: https://github.com/Miodec/monkeytype/blob/master/security-policy.md

[tcbutler320]

*Update: I've updated my fork with a security-policy.html that can be appended to the footer

security_policy.mp4

Security Policy Details

The current draft reads as follows

Monkeytype takes the security of its platform seriously. If you are a security researcher and you have found a vulnerability in the application, we would like to work with you to remediate the issue.

Table of Contents

• How to Disclose a Vulnerability
• Submission Guidelines

How to Disclose a Vulnerability?

For vulnerabilities that impact the confidentiality, integrity and availability of monkeytype services, please send your vulnerability disclosure via (1) mail, or (2) private discord chat to miodec. For non-security related platform bugs, follow the bug submission guidelines. Include as much detail as possible to ensure reproducibility. At a minimum, vulnerability disclosures should include the following:

• Vulnerability Description.
• Proof of Concept
• Impact
• Screenshots or Proof

Submission Guidelines

Do not engage in activities that might cause a denial of service condition or create significant strains on critical resources. Do not engage in activities that negatively impact users of the site outside of test or dummy accounts.

[Miodec]

We could add both the security.txt and the new policy page. Feel free to open a pull request ill merge it.