Skip to content

Security: tattle-made/feluda

SECURITY.md

Security Policy

Tattle takes the security and data privacy of our systems very seriously. Please read this document before performing any security analysis or reporting a vulnerability.

Reporting Security Issues

Tattle encourages independent security researchers to responsibly disclose any vulnerabilities found in our site or applications.

Please add as much detail as possible in the report, including reproducible steps, to prevent delays in addressing the issue. Please test against the latest product version.

Tattle does not participate in a bug bounty program. However, we are happy to publicly acknowledge your contributions if we are made aware of the issue for the first time.

Tattle will make a best effort attempt to respond within 3 working days of receiving the report.

Tattle's Vulnerability Disclosure Policy

Tattle will disclose vulnerabilities on a 90-day disclosure deadline with the following exceptions -

  • If the deadline falls on a weekend or an Indian public holiday, the deadline will be moved to the next working day.
  • If a high or critical severity vulnerability is discovered in a 3rd party product or dependency, we will inform the vendor and attempt to get the vulnerability fixed. We will delay the disclosure if a patch is scheduled for release within 14 days after the 90-day deadline.
  • If we discover a "0day" vulnerability (an actively exploited, and previously unknown and unpatched vulnerability), we will disclose it within 7 days to prevent further compromise of machines and/or accounts. This is an unreasonable amount of time to release a well-tested fix, but allows sufficient time to publish advice and/or potential mitigations.

Rules of Engagement, Testing, and Proof-of-Concepts

  • Tattle products are open-source. You are encouraged to install standalone products locally for researching vulnerabilities.
  • If you want to conduct penetration testing on any of Tattle's domains or subdomains, you will need an explicit written permission. During the process, you should coordinate with the Tattle team more closely to avoid escalation.
  • Do not publicly post a proof-of-concept until the report is disclosed.
  • You are required to follow Tattle's Code of Conduct and POSH Policy when communicating with any team member.

Out of scope

  • Automated scanning of any kind
  • Accessing or modifying data of other users
  • Attacks on physical security
  • Person-in-the-Middle attacks
  • Social engineering of any kind
  • Denial of Service
  • Use of leaked credentials

Safe Harbor

We follow this safe harbor policy for researchers

References

This policy has taken inspiration from the following sources:

First Release: 22 March, 2024

There aren’t any published security advisories