Reporting security issues

From Alistair Mann / csi18n
Jump to: navigation, search

If you have found a security issue with the csi18n service, please email it to

What counts as security issue?

If you believe a problem you've found is a security problem, then that's good enough for us - send it on. These are also the sort of things we're after:

  • Read or write access to foreign security data including password and password reset data, RBAC records, locks, bumps, apikeys and CORS records;
  • Read or write access to foreign user data such as translations and preferences;
  • Denial of service attacks other than a simple flood, which is already a known security issue we're dealing with

Whats a normal request? What's a crafted request?

A normal request is any request that can be replicated on one line, with one cURL command, with arguments only as found in its manpage.

A crafted request is one that cannot be replicated using cURL, or only by using cURL in a non-trivial way such as using pipes or exploiting cURL vulnerabilities.

When to inform us before pen-testing?

If you are attempting to crack one of your own accounts from a second account you own, then you don't need to inform us as long as you're using normal requests. The existing security will determine "you own" the accounts by looking at whether the account attacked from is the SuperOrdinate account of the account being attacked, or if both accounts share the same recovery email address and were created around the same time from the same IP address.

If you are using crafted requests then you should contact us ahead of time as some of the defences will automatically block even normal access if they detect shenanigans.

What else?

At the moment there is just the one server; a server especially for attacking is as yet a future plan. It'd therefore be awfully considerate of you to consider the other users and restrict the number of requests you make and space out how often you send them.

If you consistently make less than 10,000 requests a day from the same IP address, or no more than about 15mb of bandwidth, then you should have no trouble. Beyond them and you may get shaped.

What to add to the email?

Please add

  • The steps used so we can repeat your observation. If you can provide it as a bash script of cURL commands, even better
  • Your IP address, account details and APIKey used when conducting the attack. We'll use this to look in the logs for any unobserved effects
  • Who you are, if we may contact you at that email address if necessary, the date at which you would normally "go public" with an unaddressed issue, and if you want your details withheld from the hall of fame.

Hall of fame?

In the absence of hard cash for anything, it's the best I can do. Your report, if confirmed, will be fixed as a priority over HTTP or RESTful incompliance issues as well as more ordinary issues. Once fixed, you'll get the credit in a hall of fame that has yet to be established. If you don't want credit, the report will still be acknowledged as by "anonymous".