Reporting Security Issues¶
If you believe that you’ve found a security issue in the Airside sync solution or another Safe Sky product, please report it by emailing security@safe-sky.net. The security team PGP key (241AA973E0214370) can be used to send encrypted mail or to verify responses received from that address.
Please act responsibly in dealing with the found vulnerability. Do not take any steps or actions that go beyond what is needed to identify and verify the issue. Do not use the found vulnerability to your own advantage and avoid storing confidential data which was obtained from a result of the found issue.
When reporting a vulnerability, please include the the date and time when this issue was discovered, the type of vulnerability found, the service or application affected by the vulnerability and a detailed explanation of the issue including steps to reproduce it (where applicable).
Bug Validation¶
Each reported issue will be assessed by Safe Sky Industries. A bug is only considered valid (in the context of bug bounties) when it is not only present but also actually poses a risk for our systems. E.g. It is possible that a version of a used package contains a bug but that we do not use the affected part or that we mitigate the issue in other ways as we are aware of the vulnerability.
In addition, we do actively monitor and assess our internet-exposed systems to detect potential security risks and misconfigurations. Therefore we do not act upon reports where, for example but not limited to, only weak configurations of a certain protocol are reported, compliance issues with best practices are listed or reports where only output from commonly used automated tools is being listed.
Bug Bounties¶
We provide bounties for bugs and security issues. The following policy guides our payments for valid bugs. We use the CVSS v3.0 Base Score Metrics scoring system to calculate vulnerability severity and differentiate between tiers of assets:
- Tier 1 assets:
The public facing https://app.safe-sky.net/ web site and API.
The Safe Sky Airside sync mobile apps for iOS and Android.
… i.e., the “Airside sync” service that our customers use.
- Tier 2 assets:
Auxiliary sites and services such as logging, monitoring, and status reporting, which are still managed by ourselves; for example https://mon.safe-sky.net/.
Non-production instances of Airside sync, for example https://staging.safe-sky.net/.
Score calculation is limited to C:L, I:L, A:L.
- Tier 3 assets:
Our public web site (https://safe-sky.net/ and https://www.safe-sky.net/).
External sites we merely CNAME to, such as https://eu1-status.safe-sky.net and https://id.safe-sky.net/.
No bounties are offered for these.
For valid reports we offer the following bounties:
Low (0.1-3.9) |
Medium (4.0-6.9) |
High (7.0-8.9) |
Critical (9.0-10.0) |
|
|---|---|---|---|---|
Tier 1 |
$150 |
$250 |
$500 |
$1000+ |
Tier 2 |
$50 |
$100 |
$250 |
— |
