Reporting Vulnerabilities
Please help us to keep the tools safe for use.
We take the security of our tools extremely seriously and investigate any reported issues and vulnerabilities.
Vulnerability Disclosure Program
Oblivious launched a Vulnerability Disclosure Program using Bugcrowd platform. All discussions related to vulnerability disclosure will be using the Bugcrowd platform. Researchers will be able to track their submissions in Bugcrowd.
Public Notifications
If applicable, we will notify all of our current and past customers of a vulnerability if it ever comes to light that there is an issue that could impact their privacy or security.
To protect our customers, we request you not to create a public notification before us communicating directly with our user base.
Safe Harbor
We follow the AWS belief system to provide a safe-harbor for security research performed in good faith, and we adopt Disclose.io's Core Terms. If you would like to collaborate on such security research please reach out to us at research@oblivious.ai.
Scope
Following domains are in scope for Vulnerability Disclosure Program
Program Rules
- Please DO NOT create too many deployments or services
- Please DO NOT target assets of Oblivious customers
- Please DO NOT try brute force, volume related attacks, rate limiting, automated tooling or any attack scenario that can cause Denial of Service
- Please provide detailed reports with reproducible steps.
- Social engineering is prohibited. Contacting employees or customers of oblivious is strictly prohibited
- Please DO NOT exploit the discovered vulnerability to disrupt our services
Issues not to report
The following issues are considered out of scope:
- Security Headers like X-XSS-protection, Strict-Transport-Security, X-Content-Type-Options missing in the HTTP response.
- Any activity that could lead to the disruption of our service (DoS)
- Email configuration like SPF, DKIM, DMARC
- Banner information disclosure
How to report a security vulnerability
If you believe that you have identified a vulnerability associated with the Oblivious tool suite or with AWS Nitro itself, we would appreciate you to report findings to us through our Vulnerability Disclosure Program (VDP) by writing directly to oblivious-vdp@submit.bugcrowd.com. Please be specific with the vulnerability so that our engineers can be effective in mitigating the impact of the issue.
We ask you to do so discretely so that the team can patch the vulnerability and inform our user base responsibly and safely. We commit to keeping you informed throughout the process.