Legal

Full Disclosure Security Policy

Date: March 20 , 2024 — Previous Version

Purpose

Our aim is to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the security community at large. We are providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback and to act as a guide for communication between the researcher and Airship.

Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with security@airship.com, a researcher can expect a response within seven days. We conform to the ISO/IEC 29147:2018 and ISO/IEC 30111:2019 standards, ensuring our practices align with international guidelines for vulnerability disclosure and handling processes.

Airship is responsible for delivering status updates at least once every seven days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.

Working with Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Airship, for the researcher, our customers, and the community.

Responsible Disclosure Guidelines:

This hypothetical workflow illustrates the simple set of guidelines at work behind this policy:

  • Researcher discovers a security threat
  • Researcher documents the threat
  • Researcher sends email to security@airship.com with the details of the security issue
  • Within five days, Airship will respond to a researcher with the status regarding the security issue and possible resolutions
  • Every five days thereafter, Airship is required to send a status update to the researcher and to seek feedback on solutions
  • When the security issue has been satisfactorily resolved, the researcher is welcome to publicly disclose the finding
  • Share the issue with Airship prior to sharing it publicly or with any other party via email, the only authorized method of communication in which any research or potential findings should be discussed.
  • Allow us reasonable time to respond (seven days to acknowledge and seven day update intervals) to the issue before disclosing it publicly or sharing with any other party
  • Be aware that some services that we use at Airship are not under our control. While we strive to ensure our systems and vendors we use are as secure as possible, we depend on our vendors to ensure their products are up to our security standards. 

Responsible Disclosure Email Template:

Report TemplateDescription
Title of the reportConcise summary categorising the vulnerability, and the site/application where it can be found. (E.g [Reflected XSS] airship.com)
URL / AssetWeb address, IP address, product, service name, etc.
WeaknessCWE, CVE, etc.
SeveritySuch as low, medium, high, critical, and the calculated via CVSS
Description of the VulnerabilityA summary of the vulnerability,
Supporting files Screenshot or Video
Steps to reproduceClear and descriptive steps to reproduce the vulnerability.
ImpactThe effects of successfully exploiting the vulnerability.
RecommendationsAny mitigations


Eligibility requirements:

  • All submissions must be new discoveries. Awards will only be provided to the first researcher who submits a particular security vulnerability or bug. Duplicate reports do not receive awards. Airship determines duplicates at its sole discretion and will not share details on prior similar reports. If a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, Airship will also award the second submission. 
  • The researcher must not reside in a country currently under U.S. sanctions.
  • Please provide detailed reports with reproducible steps. The researcher must not cut and paste a tool output into a submission without including additional analysis demonstrating the exploitability of a vulnerability. If the report is a false positive or is not detailed enough to reproduce the issue, the researcher will not be eligible for an award.
  • Multiple vulnerabilities caused by one underlying issue will receive one award.
  • You are 13 years of age or older. If you are at least 13 years old but are considered a minor in your place of residence, you must obtain your parent’s or legal guardian’s permission prior to participating in this program

Acknowledgements for third party security issues impacting Airship are issued at Airship’s discretion (E.g. Inclusion in the Hall of Fame).

Prohibited Testing

Please only test services to which you have authorized access. The following testing is not allowed

Threat Bounty Description
Denial of Service NONE Any action that disables or makes Airship resources unavailable
Distributed Denial of Service or Rate Limiting NONE Performance testing, maxing out network bandwidth, or overloading resources with multiple sources
Brute Force Attacks NONE Persistent or iterative attacks against Airship production environments
Using components with Known Vulnerabilities NONE Reporting 3rd party components or libraries Airship is currently using are out of date or vulnerable
Bulk Export of Data NONE Removing data from Airship without our permission in bulk from our systems.
Non-Disclosure of Security Bug NONE No bounty or acknowledgement will be issued for disclosing a bug or vulnerability publicly without informing Airship in accordance with this policy
DNS, DNSSEC, SPF or DMARC Configuration Suggestions NONE Any suggestions involving the current configurations around these systems and protocols will NOT be acknowledged.
HTTP, HTTPS or TLS Security Header Configuration NONE Any suggestions involving the current configurations around these protocols will NOT be acknowledged.

Eligible Domains

The following URLs are in scope for our program:
www.airship.com
www.airship.eu
www.gummicube.com
www.apptimize.eu
www.apptimize.com
analyze.airship.com
analyze-api.airship.com
docs.airship.com
go.airship.com
sftp.airship.com
support-eu.airship.com
support.airship.com
team.airship.com
accengage.net
device-api.urbanairship.com
combine.urbanairship.com

Vulnerability Disclosure Program Reward

We deeply appreciate the contributions of security researchers like you. Currently, we only offer non-monetary rewards for each confirmed vulnerability report. These rewards include a T-shirt to proudly showcase your achievement. Additionally, all eligible researchers will be honored with a well-deserved place in our prestigious Hall of Fame, where your name will be displayed among the talented individuals who have made significant contributions to improving our security posture.

PGP Fingerprint

To send secure emails to our security team, please use the following PGP Fingerprint: 0x8ECBD357243F4CF0

Questions

This is an open-ended dialogue. If there is anything missing, you have a question, or if you’re just curious, please send us an email at security@airship.com.

Hall of Fame

The hall of fame recognizes researchers findings publicly for the last four quarters. Thank you to everyone for your submissions and for working closely with Airship.

ResearcherLinkedInCountryQuarterFindingDate
Parag Bapu BagulLinkedInIndiaQ2 FY24Input Validation2023/04/18
Yash KushwahLinkedInIndiaQ2 FY24Out-of-Date jQuery2023/04/18
Vikas AnandLinkedInIndiaQ2 FY24Directory Listing2023/06/14
Nikhil RaneLinkedInIndiaQ3 FY24Security Misconfiguration2023/07/21
Amol Verma LinkedInIndiaQ3 FY24Security Misconfiguration2023/08/11
Shivam SharmaLinkedInIndiaQ3 FY24Security Misconfiguration2023/08/29
Mayur PandyaLinkedInIndiaQ3 FY24Security Misconfiguration2023/09/28
Durvesh KolheLinkedInIndiaQ3 FY24No Rate Limit2023/09/28
Vinit LakraLinkedInIndiaQ3 FY24Insecure Direct Object References2023/10/17
0d.samikhaleed-samyN/AQ1 FY25Domain2024/02/14
Foysal Ahmed FahimX.comN/AQ1 FY25Domain2024/02/26
Aeden MurrayLinkedInUSQ1 FY25Configuration Error2024/03/07