Summary

  1. We want you to responsibly disclose through our security vulnerability program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our Security Vulnerability Safe Harbor policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.

  2. Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.

  3. If your security research as part of the Security Vulnerability program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.

  4. Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  5. When in doubt, contact us at team@tosdr.org

  6. Only test for vulnerabilities on sites you know to be operated by ToS;DR and are supported. Some sites hosted on subdomains of tosdr.org, tosback.com, tosback.org or tosback.net are operated by third parties and should not be tested.

Performing your research

  • Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.

  • The following are never allowed. We may suspend your ToS;DR accounts and ban your IP address for:

    • Performing distributed denial of service (DDoS) or other volumetric attacks

    • Spamming content

    • Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.

      • Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.

  • Researching denial-of-service attacks is allowed only if you follow these rules:

    • There are no limits for researching denial of service vulnerabilities against your own instance of CrispCMS, Phoenix, Tosback or our crawler. We strongly recommend/prefer this method for researching denial of service issues. If you have no ability to self-host our services, we provide staging environments you can test on.

      • CrispCMS - staging.tosdr.org

      • API - api.staging.tosdr.org

      • Phoenix - edit.staging.tosdr.org

      • Shields - shields.staging.tosdr.org

    • If you choose to test on our production environment

      • Stop immediately if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, ToS;DR's team will be able to determine the impact.

Handling personally identifiable information (PII)

  • Personally identifying information (PII) includes:

    • legal and/or full names

    • names or usernames combined with other identifiers like phone numbers or email addresses

    • health or financial information (including insurance information, social security numbers, etc.)

    • information about political or religious affiliations

    • information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes

  • Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.

  • Report the vulnerability immediately and do not attempt to access any other data. The ToS;DR team will assess the scope and impact of the PII exposure.

  • Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned

  • You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed.

  • We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability

1. Safe Harbor Terms

To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this security vulnerability program's scope.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this security vulnerability program permits.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!

2. Third Party Safe Harbor

If you submit a report through our Security Vulnerability program which affects a third party service, we will limit what we share with any affected third party. We may share non-identifying content from your report with an affected third party, but only after notifying you that we intend to do so and getting the third party's written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report. We will not share your identifying information with any affected third party without first getting your written permission to do so.

Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of our policy. Refer to that third party's safe harbor policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.

That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this security vulnerability program, and you have sufficiently complied with our safe harbor policy (i.e. have not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with this policy. While we consider submitted reports both confidential and potentially privileged documents, and protected from compelled disclosure in most circumstances, please be aware that a court could, despite our objections, order us to share information with a third party.

3. Limited Waiver of Other Site Polices

To the extent that your security research activities are inconsistent with certain restrictions in our relevant legal policy but consistent with the terms of our security vulnerability program, we waive those restrictions for the sole and limited purpose of permitting your security research under this security vulnerability program. Just like above, if in doubt, ask us first!