2023-01-26 20:13:36 +00:00
|
|
|
|
# Coder Security
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
Coder welcomes feedback from security researchers and the general public to help
|
|
|
|
|
|
improve our security. If you believe you have discovered a vulnerability,
|
2023-01-26 20:13:36 +00:00
|
|
|
|
privacy issue, exposed data, or other security issues in any of our assets, we
|
|
|
|
|
|
want to hear from you. This policy outlines steps for reporting vulnerabilities
|
|
|
|
|
|
to us, what we expect, what you can expect from us.
|
|
|
|
|
|
|
|
|
|
|
|
You can see the pretty version [here](https://coder.com/security/policy)
|
|
|
|
|
|
|
|
|
|
|
|
# Why Coder's security matters
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
If an attacker could fully compromise a Coder installation, they could spin up
|
|
|
|
|
|
expensive workstations, steal valuable credentials, or steal proprietary source
|
|
|
|
|
|
code. We take this risk very seriously and employ routine pen testing,
|
|
|
|
|
|
vulnerability scanning, and code reviews. We also welcome the contributions from
|
|
|
|
|
|
the community that helped make this product possible.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
|
|
|
|
|
|
# Where should I report security issues?
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
Please report security issues to security@coder.com, providing all relevant
|
|
|
|
|
|
information. The more details you provide, the easier it will be for us to
|
|
|
|
|
|
triage and fix the issue.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
|
|
|
|
|
|
# Out of Scope
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
Our primary concern is around an abuse of the Coder application that allows an
|
|
|
|
|
|
attacker to gain access to another users workspace, or spin up unwanted
|
2023-01-26 20:13:36 +00:00
|
|
|
|
workspaces.
|
|
|
|
|
|
|
|
|
|
|
|
- DOS/DDOS attacks affecting availability --> While we do support rate limiting
|
2023-08-23 09:27:57 +00:00
|
|
|
|
of requests, we primarily leave this to the owner of the Coder installation.
|
|
|
|
|
|
Our rationale is that a DOS attack only affecting availability is not a
|
|
|
|
|
|
valuable target for attackers.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
- Abuse of a compromised user credential --> If a user credential is compromised
|
2023-08-23 09:27:57 +00:00
|
|
|
|
outside of the Coder ecosystem, then we consider it beyond the scope of our
|
|
|
|
|
|
application. However, if an unprivileged user could escalate their permissions
|
|
|
|
|
|
or gain access to another workspace, that is a cause for concern.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
- Vulnerabilities in third party systems --> Vulnerabilities discovered in
|
2023-08-23 09:27:57 +00:00
|
|
|
|
out-of-scope systems should be reported to the appropriate vendor or
|
|
|
|
|
|
applicable authority.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
|
|
|
|
|
|
# Our Commitments
|
|
|
|
|
|
|
|
|
|
|
|
When working with us, according to this policy, you can expect us to:
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
- Respond to your report promptly, and work with you to understand and validate
|
|
|
|
|
|
your report;
|
|
|
|
|
|
- Strive to keep you informed about the progress of a vulnerability as it is
|
|
|
|
|
|
processed;
|
|
|
|
|
|
- Work to remediate discovered vulnerabilities in a timely manner, within our
|
|
|
|
|
|
operational constraints; and
|
|
|
|
|
|
- Extend Safe Harbor for your vulnerability research that is related to this
|
|
|
|
|
|
policy.
|
2023-01-26 20:13:36 +00:00
|
|
|
|
|
|
|
|
|
|
# Our Expectations
|
|
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
In participating in our vulnerability disclosure program in good faith, we ask
|
|
|
|
|
|
that you:
|
2023-01-26 20:13:36 +00:00
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
|
- Play by the rules, including following this policy and any other relevant
|
|
|
|
|
|
agreements. If there is any inconsistency between this policy and any other
|
|
|
|
|
|
applicable terms, the terms of this policy will prevail;
|
2023-01-26 20:13:36 +00:00
|
|
|
|
- Report any vulnerability you’ve discovered promptly;
|
2023-08-23 09:27:57 +00:00
|
|
|
|
- Avoid violating the privacy of others, disrupting our systems, destroying
|
|
|
|
|
|
data, and/or harming user experience;
|
2023-01-26 20:13:36 +00:00
|
|
|
|
- Use only the Official Channels to discuss vulnerability information with us;
|
2023-08-23 09:27:57 +00:00
|
|
|
|
- Provide us a reasonable amount of time (at least 90 days from the initial
|
|
|
|
|
|
report) to resolve the issue before you disclose it publicly;
|
|
|
|
|
|
- Perform testing only on in-scope systems, and respect systems and activities
|
|
|
|
|
|
which are out-of-scope;
|
|
|
|
|
|
- If a vulnerability provides unintended access to data: Limit the amount of
|
|
|
|
|
|
data you access to the minimum required for effectively demonstrating a Proof
|
|
|
|
|
|
of Concept; and cease testing and submit a report immediately if you encounter
|
|
|
|
|
|
any user data during testing, such as Personally Identifiable Information
|
|
|
|
|
|
(PII), Personal Healthcare Information (PHI), credit card data, or proprietary
|
|
|
|
|
|
information;
|
|
|
|
|
|
- You should only interact with test accounts you own or with explicit
|
|
|
|
|
|
permission from
|
2023-01-26 20:13:36 +00:00
|
|
|
|
- the account holder; and
|
|
|
|
|
|
- Do not engage in extortion.
|
