We strive to make the internet more secure for end users by making WebAuthn technology widely accessible to developers. It's of the highest importance that our library does not have security flaws that endanger the users we aim to protect. Feel free to inspect our source code and web assets.
We appreciate all the help we can get from the security community in evaluating and testing the technology.
Passwordless is both an open source library and a hosted API service. This Vulnerability Disclosure Program covers both entities.
- Source code: https://§hub.com/passwordless-lib/fido2-net-lib/
- Domain: *.passwordless.dev
When targeting the domain *.passwordless.dev we ask you not to perform disruptive actions and follow the Rules Of Engagement. Note: Please include the word 'hacker' in your account name to help us identify problematic traffic.
- You may not target any customer/user who is using fido2-net-lib.
- You may not target any individual contributing to the project in any form
When researching security issues, especially those which may compromise the privacy of others, you must use only test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Passwordless's users (e.g., spam, denial of service) will disqualify the report. Activity that is disruptive to Passwordless operations will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:
- Spam-like or other high volume activity
- Submission of support, sales or other requests to 3rd party systems
- Mass creation of users, groups, and projects
- Typosquatting or other namesquatting
Sending reports from automated tools without verifying them will immediately disqualify the report.
Disruptive activity such as that listed above can be researched freely on your own installation of fido2-net-lib.
When targeting the domain *.passwordless.dev we ask you not to perform disruptive actions and follow the Rules Of Engagement. Note: Please include the word 'hacker' in your account name to help us identify problematic traffic.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
We will make a best effort to meet the following SLAs for hackers participating in our program:
- Time to first response (from report submit) - 3 business day
- Time to triage (from report submit) - 14 business days
The only appropriate place to inquire about a report status is the report email itself. Please refrain from submitting your report or inquiring about its status through additional channels including Github Issues or any other unrelated report, as this unnecessarily binds resources in the security team.
All Resolved reports will be made public via issues on Github.com 30-60 days after releasing a fix. We will redact all information we consider sensitive (such as cookies or tokens), but do not hesitate to let us know if additional content should be hidden.
If you want to be listed in our Hall Of Fame on the main README, please inform us about it in the report. If you want to be kept anonymous, please inform us about it in the report.
All disclosure should be done via email to security@passwordless.dev.
You are responsible for complying with any applicable laws.