-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Include Passkeys Directory in security reporting document
Signed-off-by: Carlgo11 <[email protected]>
- Loading branch information
Showing
1 changed file
with
16 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,35 @@ | ||
| # Security Reporting | ||
|
|
||
| Have you found a security vulnerability or bug affecting 2FA Directory? | ||
| Have you found a security vulnerability or bug affecting the 2FA Directory or Passkeys Directory? | ||
| Get in touch with us! | ||
|
|
||
| ## Vulnerability scope | ||
| ## Vulnerability Scope | ||
|
|
||
| [2factorauth][about] hosts the 2FA Directory [website][website] | ||
| and [API service][api]. | ||
| We also manage the GitHub repositories on [github.com/2factorauth][github]. Vulnerabilities | ||
| directly related to the code in these repositories can be reported to us. | ||
| [2factorauth][about] hosts the 2FA Directory [website][2fa_website] | ||
| and [API service][2fa_api] along with the Passkeys Directory [website][pk_website] and [API service][pk_api]. | ||
| We also manage the GitHub repositories on [github.com/2factorauth][github]. | ||
| Vulnerabilities directly related to the code in these repositories can be reported to us. | ||
| If you've found an issue with one of our dependencies, please report your findings directly to the dependency in | ||
| question. | ||
|
|
||
| Before reporting, please note that 2FA Directory is a static website and API service public to everyone. | ||
| Therefore, potential DOM and cookie exfiltration aren't something that's within our scope. | ||
| > [!Note] | ||
| > Before reporting, please keep in mind that the Directories are static websites with API services that are public to everyone. | ||
| > Therefore, potential DOM and cookie exfiltrations are outside our security vulnerability scope. | ||
| ## Reporting vulnerabilities | ||
| ## Reporting Vulnerabilities | ||
|
|
||
| Please report your findings through our [Security advisory platform][advisory]. | ||
| If you're unable to use GitHub, send us an email instead at <a href="mailto:[email protected]">[email protected]</a>. | ||
| PGP is available using the key [66906F90EA58EC3FA5DC5B3A61339316DD315F4D][pgp]. | ||
| PGP is available using the key [0xDD315F4D][pgp]. | ||
|
|
||
| > **Warning** | ||
| > [!Important] | ||
| > Reports from automated security scans will be discarded. | ||
| [2fa_api]: https://2fa.directory/api/ | ||
| [2fa_website]: https://2fa.directory/ | ||
| [about]: https://2fa.directory/about/ | ||
| [advisory]: https://github.com/2factorauth/twofactorauth/security/advisories/new | ||
| [api]: https://2fa.directory/api/ | ||
| [github]: https://github.com/2factorauth | ||
| [pk_api]: https://passkeys.2fa.directory/api/ | ||
| [pk_website]: https://passkeys.2fa.directory/ | ||
| [pgp]: https://keys.openpgp.org/vks/v1/by-fingerprint/66906F90EA58EC3FA5DC5B3A61339316DD315F4D | ||
| [website]: https://2fa.directory/ |