SECURITY POLICY

How we handle security reports

NOTE: We do not have a bug bounty program, so if you are expecting to be compensated financially, this is simply not going to happen. This is a ".org" site run by hackers who all have actual day jobs, not some for-profit site that milks money out of the masses. That said, report security flaws via security@nmrc.org. If the flaw is in a public-facing NMRC server we will handle it, but note what we "cover" below.

What's in "scope"?

Since we do not pay for bugs, in a way everything is in scope. For code written and located on blackhole, check to see if there is a repository for that code on GitLab and report it via an issue there. Just note the best you are going to get is bragging rights, and we will certainly give credit where credit is due, typically via social media, or perhaps in a blog or security conference talk. Also note this site is run by hackers, so if you're some group like the PRC or some other APT group we will handle you accordingly as we have in the past. Same for irritating and destructive hacker types in that we will not involve law enforcement but most likely response in our own way which will be purposely focused to be rather "unpleasant" for you.

How we fix stuff reported

If you report something that's a patch or a configuration adjustment, we will patch and reconfigure accordingly. If this is something we don't directly control (i.e. a flaw in nginx) we will attempt to mitigate, but we strongly recommend you let whoever controls it (i.e. from the previous example, nginx) and you might get that bug bounty. We will try to mitigate it.

What else will we do?

If you wish to discuss some security flaw in someone else's software or some other web presence, as long as you are not trying to do something illegal we can answer questions and whatnot as we have time. No guarantee it will turn out to be helpful or timely, but you're getting our thoughts for free. If you want advice on some criminal behavior or you're in some type of legal trouble, maybe contact someone that's actually a lawyer (or maybe the EFF).

What to do if this policy doesn't answer your question or concern

That sucks. I guess fuck off.


Last updated 05Apr2024