Skip to content

Latest commit

 

History

History
36 lines (29 loc) · 2.44 KB

SECURITY.md

File metadata and controls

36 lines (29 loc) · 2.44 KB

Security Policy

Ushahidi uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. Security is directed by Ushahidi's Chief Technical Officer and maintained by our engineering team.

We take reasonable administrative, physical and electronic measures designed to protect the information that we collect from or about you (including your PII) from unauthorized access, use or disclosure. Please be aware, however, that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information.

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with an Ushahidi product, please contact [email protected].

If possible, include information needed to reproduce and validate the vulnerability, a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

Responsible Disclosure

Ushahidi supports responsible disclosure practices. To encourage responsible reporting, we will not take legal action against you or ask law enforcement to investigate if you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability - as specified above
  • Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give us a reasonable time to correct the issue before making any information public
  • Do not search for vulnerabilities on ushahidi.com and other Ushahidi properties themselves. Ushahidi is open-source software, you can install a copy yourself and test against that. If you want to perform testing without setting up Ushahidi yourself, please contact us to arrange access to a staging server.

Security Researcher Hall Of Fame

Ushahidi would like to thank the following individuals for disclosing security issues to us

  • Aaron Hall
  • Aditya Arora
  • Amy K. Farrell
  • Brad Anthony
  • Dennison Williams
  • George Chamales
  • Kees Cook
  • Mohammed Israil
  • Timothy D. Morgan
  • postmodern
  • Rayen Messaoudi
  • Rob Munro
  • Victor Angelier
  • Wil Clouser