Responsible Disclosure of Security Issues


We welcome the community to help contribute to the security of our platform and the Giant Swarm ecosystem.

To report a vulnerability, abuse, or for security-related inquiries, please send an email to security@giantswarm.io.

If you have a sensitive issue, you can encrypt your message using our PGP key.

We appreciate you choosing to contact us directly with your concerns. We are committed to protecting our users and our customers, and will act quickly to investigate and respond to your report.

Following your report, Giant Swarm will:

- acknowledge your email within 48 business hours
- reach out to you for additional information if necessary
- notify you when the problem has been resolved

Giant Swarm does not have a monetary bounty program at this time, but we would be happy to publicly credit you for new findings and send you some swag as a thank you.

If you would like to be credited, please include the name, nickname, and/or GitHub username you would like us to reference, as well as your shipping information for us to send your Giant Swarm gear.

Thank you for reporting responsibly!

Please note that findings must have demonstrable impact to be considered, and the bounty value and eligibility will be at our discretion.

Scope

We are most interested in findings affecting our platform, as opposed to our public website. Our code is open source and is available on GitHub. Findings related to outdated or vulnerable dependencies must include a proof of concept. Sample/placeholder/demonstration content (for example, placeholder passwords in a training project) is not considered a valid finding.

Our public website (giantswarm.io) and its subdomains do not serve any user login, account management, or otherwise sensitive content. They are hosted by HubSpot (which has a separate bounty program) and serve static content. For that reason, the following areas and findings are currently out of scope:

- Clickjacking on any giantswarm.io page

- The Content-Security-Policy header

- The X-XSS-Protection header

- The HSTS header/mixed HTTP(S) content

- All console-based or self-XSS behaviors

Additional out-of-scope findings:

- Rate limits on forms and fields on giantswarm.io and subpages

Finally, the following are always out of bounds:

- Phishing, social engineering, intimidation, or any sort of attack or targeted interaction against any of Giant Swarm's employees, users, or customers

- DDoS attacks

- Spam