From 767419994c95a5451c82d06ce14bb0e103d54a34 Mon Sep 17 00:00:00 2001 From: Chad Whitacre Date: Thu, 14 Jul 2016 11:25:16 -0400 Subject: [PATCH] State SSLLabs "A" policy as a positive one --- www/appendices/security-program.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/www/appendices/security-program.md b/www/appendices/security-program.md index b8ff4c8..9b50686 100644 --- a/www/appendices/security-program.md +++ b/www/appendices/security-program.md @@ -43,6 +43,9 @@ We take security seriously, and we're proud to be able to offer bounties through * [https://grtp.co](https://grtp.co) (not in scope for clickjacking) * any other [software we publish](https://github.com/gratipay) +We target an "A" grade on SSLLabs for both [grtp.co](https://www.ssllabs.com/ssltest/analyze.html?d=grtp.co) and [gratipay.com](https://www.ssllabs.com/ssltest/analyze.html?d=gratipay.com). + + ## Out of scope Any services hosted by 3rd party providers and services are excluded from scope. @@ -54,12 +57,6 @@ In the interest of the safety of our users, staff, the Internet at large and you * Findings from applications or systems not listed in the ‘Scope’ section * UI and UX bugs and spelling mistakes * Network level Denial of Service (DoS/DDoS) vulnerabilities -* Findings related to *weaks* SSL/TLS ciphers, Diffie-Hellman parameters... as long our grade on [ssllabs](https://ssllabs.com/) -is at least "A" - -By example, this means that the following reports will be categorized as "Out of scope": -* Any report related to `Server` header disclosure on [https://assets.gratipay.com](https://assets.gratipay.com) (which is not on scope and hosted on MaxCDN) -* Any report related to weaks SSL/TLS ciphers for [https://gratipay.com](https://gratipay.com) (hosted on Heroku, we don't have control over it) Things we do not want to receive: