State SSLLabs "A" policy as a positive one

gratipay · Jul 14, 2016 · 7674199 · 7674199
1 parent 39537fd
commit 7674199
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/www/appendices/security-program.md b/www/appendices/security-program.md
@@ -43,6 +43,9 @@ We take security seriously, and we're proud to be able to offer bounties through
 * [https://grtp.co](https://grtp.co) (not in scope for clickjacking)
 * any other [software we publish](https://github.com/gratipay)
 
+We target an "A" grade on SSLLabs for both [grtp.co](https://www.ssllabs.com/ssltest/analyze.html?d=grtp.co) and [gratipay.com](https://www.ssllabs.com/ssltest/analyze.html?d=gratipay.com).
+
+
 ## Out of scope
 
 Any services hosted by 3rd party providers and services are excluded from scope.
@@ -54,12 +57,6 @@ In the interest of the safety of our users, staff, the Internet at large and you
 *   Findings from applications or systems not listed in the ‘Scope’ section
 *   UI and UX bugs and spelling mistakes
 *   Network level Denial of Service (DoS/DDoS) vulnerabilities
-*   Findings related to *weaks* SSL/TLS ciphers, Diffie-Hellman parameters... as long our grade on [ssllabs](https://ssllabs.com/)
-is at least "A"
-
-By example, this means that the following reports will be categorized as "Out of scope":
-*   Any report related to `Server` header disclosure on [https://assets.gratipay.com](https://assets.gratipay.com) (which is not on scope and hosted on MaxCDN)
-*   Any report related to weaks SSL/TLS ciphers for [https://gratipay.com](https://gratipay.com) (hosted on Heroku, we don't have control over it)
 
 Things we do not want to receive: