From babc45799f4974e13d94d21d7cf937d4b992f7ac Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:14:44 +0200 Subject: [PATCH 01/13] Update responsible-disclosure-policy.md --- .../responsible-disclosure-policy.md | 88 +++++++------------ 1 file changed, 34 insertions(+), 54 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 08582c34..fae3c83f 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -11,61 +11,41 @@ redirect_from: # Responsible Disclosure Policy +Security is a core priority at Hypernode. We highly value the work of ethical hackers and security researchers who help us protect our systems and our users. If you’ve discovered a potential vulnerability, we would love to hear about it through the Intigriti platform. +**Important**: We only accept vulnerability submissions via our Intigriti bug bounty program. Reports sent via email or other means will not be eligible for a bounty. -We take the security of our systems and our users very seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. +## How to Report a Vulnerability +We’ve partnered with [Intigriti](https://www.intigriti.com/), a trusted bug bounty platform, to handle all responsible disclosure submissions. Our program is private, so you’ll need to be invited before you can submit a report. +To request access, simply e-mail us your Intigriti username at [security@nl.team.blue](mailto:security@nl.team.blue). -## Guidelines - -We require that all researchers: - -- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. -- Use the identified communication channels to report vulnerability information to us. -- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Hypernode until we’ve had 90 days to resolve the issue. -- Do not abuse found vulnerabilities. Don’t download more information than is necessary to show the vulnerability. -- Do not change or remove data. This includes scrubbing your own ‘footprints’, logfiles, tmpfiles, history files, etc, etc. - -If you follow these guidelines when reporting an issue to us, we commit to: - -- Not pursue or support any legal action related to your research; -- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission); -- Keep you updated on our efforts in solving the issue; -- If you are the first to report the issue and we make a code or configuration change based on the issue, we will include you in our Security Hall of Fame. +Once invited, you’ll be able to access our Intigriti program, where you’ll find: +* A detailed list of in-scope and out-of-scope systems +* Rules of engagement for security testing +* Submission guidelines +* Potential rewards for eligible findings ## Scope - -We accept reports for vulnerabilities in any of the following: - -- All systems and services running under the byte.nl, hypernode.nl, hypernode.com, hipex.nl, hipex.io and magereport.com domains, and any of its subdomains. -- All systems and services running in the 194.150.225.0/25 ip range. -- Any published code on our [ByteInternet GitHub](https://github.com/ByteInternet), [Hypernode GitHub](https://github.com/Hypernode), [HipexBV GitHub](https://github.com/HipexBV), [hn-support GitHub gists](https://gist.github.com/hn-support), or in our documentation. -- Any vulnerabilities on our clusterhosting environment, and on the Hypernode vagrant / docker setup, or generic Hypernode vulnerabilities, are also welcome. - -## Out of Scope - -In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope: - -- **The testing of sites we host for our customers, including sites hosted under the testbyte.nl, or the hypernode.io domain, is explicitly NOT ALLOWED.** -- Any tests on services hosted by 3rd party providers and services, even if hosted under an in-scope domain name. -- Physical testing such as office access (e.g. open doors, tailgating). -- Social Engineering (e.g. phishing, vishing). -- Tests on any applications or systems not listed in the ‘Scope’ section. -- Testing for UI and UX bugs and spelling mistakes. -- Network level Denial of Service (DoS/DDoS) vulnerabilities or brute force attacks. - -Things we do not wish to receive from you are the following: - -- Personally identifiable information (PII) -- Credit Card holder data -- We are aware not all our domains have complete SPF / DKIM / DMARC setups. -- We are aware our marketing domains contain social media links are missing 'noopener' attributes, and can placed in iframes. - -## How to report a security vulnerability - -If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing disclosure@nl.team.blue. Please include the following details with your report: - -- Description of the location and potential impact of the vulnerability -- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us) -- If you saw any customer data, or confidential information, during your research, please inform us of this as well. -- Your name/handle and a link for recognition in our Hall of Fame. - -If you’d like to encrypt the information, please use our [PGP-key](https://pgp.mit.edu/pks/lookup?search=0x4FDDF9236D0E2A2E&op=index&rel=noopener): (ID: 6D0E2A2E, Fingerprint: 5CF5 61BE C0AA AE11 8164 6576 4FDD F923 6D0E 2A2E). +You can find the current scope and testing guidelines directly on our Intigriti page. + +## What We Expect +We ask all researchers to follow these basic rules: +* Do not exploit vulnerabilities beyond what is necessary for proof-of-concept. +* Avoid impacting user data or privacy. +* No social engineering or physical testing. +* Keep your findings confidential until we’ve had a chance to fix the issue. + +If you play by the rules, we commit to: +* Reviewing your report promptly. +* Keeping you informed about progress. +* Rewarding you when appropriate. +* Never taking legal action against responsible researchers. + +## Why Intigriti? +Using Intigriti benefits both sides: +* A secure and trusted platform for disclosure of vulnerabilities. +* Structured communication and feedback. +* Bounty rewards for accepted reports and easy payout. +* Optional anonymity for researchers. +By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved. +Thanks for helping us make Hypernode more secure for all our users. +We appreciate your time, your skills, and your ethical approach. From 9039a96955fe24170d693c7693bb793cf95e3e6a Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:26:54 +0200 Subject: [PATCH 02/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index fae3c83f..aac3eefc 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -11,6 +11,7 @@ redirect_from: # Responsible Disclosure Policy + Security is a core priority at Hypernode. We highly value the work of ethical hackers and security researchers who help us protect our systems and our users. If you’ve discovered a potential vulnerability, we would love to hear about it through the Intigriti platform. **Important**: We only accept vulnerability submissions via our Intigriti bug bounty program. Reports sent via email or other means will not be eligible for a bounty. From b46077b013bab74a6dff71244f4c54f08fe4b0a2 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:27:06 +0200 Subject: [PATCH 03/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index aac3eefc..89428091 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -16,6 +16,7 @@ Security is a core priority at Hypernode. We highly value the work of ethical ha **Important**: We only accept vulnerability submissions via our Intigriti bug bounty program. Reports sent via email or other means will not be eligible for a bounty. ## How to Report a Vulnerability + We’ve partnered with [Intigriti](https://www.intigriti.com/), a trusted bug bounty platform, to handle all responsible disclosure submissions. Our program is private, so you’ll need to be invited before you can submit a report. To request access, simply e-mail us your Intigriti username at [security@nl.team.blue](mailto:security@nl.team.blue). From 57ef920f3ddfb5a0d92f02ecdc2bfeb0be16bfe6 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:27:25 +0200 Subject: [PATCH 04/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 89428091..23267c77 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -21,10 +21,11 @@ We’ve partnered with [Intigriti](https://www.intigriti.com/), a trusted bug bo To request access, simply e-mail us your Intigriti username at [security@nl.team.blue](mailto:security@nl.team.blue). Once invited, you’ll be able to access our Intigriti program, where you’ll find: -* A detailed list of in-scope and out-of-scope systems -* Rules of engagement for security testing -* Submission guidelines -* Potential rewards for eligible findings + +- A detailed list of in-scope and out-of-scope systems +- Rules of engagement for security testing +- Submission guidelines +- Potential rewards for eligible findings ## Scope You can find the current scope and testing guidelines directly on our Intigriti page. From a553e9608dc3e2342248cbea736f3ae1f8ce10b2 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:27:33 +0200 Subject: [PATCH 05/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 23267c77..3b48c6e8 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -30,6 +30,7 @@ Once invited, you’ll be able to access our Intigriti program, where you’ll f ## Scope You can find the current scope and testing guidelines directly on our Intigriti page. + ## What We Expect We ask all researchers to follow these basic rules: * Do not exploit vulnerabilities beyond what is necessary for proof-of-concept. From ecd41a7600e2c66772df53d3e39bc3d8bff3b962 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:27:40 +0200 Subject: [PATCH 06/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 3b48c6e8..ab3c90a7 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -33,10 +33,6 @@ You can find the current scope and testing guidelines directly on our Intigriti ## What We Expect We ask all researchers to follow these basic rules: -* Do not exploit vulnerabilities beyond what is necessary for proof-of-concept. -* Avoid impacting user data or privacy. -* No social engineering or physical testing. -* Keep your findings confidential until we’ve had a chance to fix the issue. If you play by the rules, we commit to: * Reviewing your report promptly. From 0d958f0f1f5ddbce86d67d933334c316f5af4fb6 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:28:36 +0200 Subject: [PATCH 07/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index ab3c90a7..27625d52 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -35,10 +35,11 @@ You can find the current scope and testing guidelines directly on our Intigriti We ask all researchers to follow these basic rules: If you play by the rules, we commit to: -* Reviewing your report promptly. -* Keeping you informed about progress. -* Rewarding you when appropriate. -* Never taking legal action against responsible researchers. + +- Reviewing your report promptly. +- Keeping you informed about progress. +- Rewarding you when appropriate. +- Never taking legal action against responsible researchers. ## Why Intigriti? Using Intigriti benefits both sides: From e443ae09cb8b7861cda4ed485981f934b77005cc Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:28:46 +0200 Subject: [PATCH 08/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 27625d52..736d21a1 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -34,6 +34,7 @@ You can find the current scope and testing guidelines directly on our Intigriti ## What We Expect We ask all researchers to follow these basic rules: + If you play by the rules, we commit to: - Reviewing your report promptly. From a9a94c181cdd55a68aeb3d9a32355f59119d8186 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:29:52 +0200 Subject: [PATCH 09/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../responsible-disclosure-policy.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 736d21a1..5a9ace96 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -44,10 +44,12 @@ If you play by the rules, we commit to: ## Why Intigriti? Using Intigriti benefits both sides: -* A secure and trusted platform for disclosure of vulnerabilities. -* Structured communication and feedback. -* Bounty rewards for accepted reports and easy payout. -* Optional anonymity for researchers. -By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved. -Thanks for helping us make Hypernode more secure for all our users. -We appreciate your time, your skills, and your ethical approach. + + +- A secure and trusted platform for disclosure of vulnerabilities. +- Structured communication and feedback. +- Bounty rewards for accepted reports and easy payout. +- Optional anonymity for researchers. + By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved. + Thanks for helping us make Hypernode more secure for all our users. + We appreciate your time, your skills, and your ethical approach. From 23ec15ab5a60e7e64e6db2e1ce9aac70e3c156a0 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:51:53 +0200 Subject: [PATCH 10/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 5a9ace96..2804200a 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -28,6 +28,7 @@ Once invited, you’ll be able to access our Intigriti program, where you’ll f - Potential rewards for eligible findings ## Scope + You can find the current scope and testing guidelines directly on our Intigriti page. From 109c4d437303366efd71a1ffe37aa4338a7436b6 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 13:58:03 +0200 Subject: [PATCH 11/13] Update docs/about-hypernode/security-policies/responsible-disclosure-policy.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../security-policies/responsible-disclosure-policy.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 2804200a..c7b49efb 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -31,7 +31,6 @@ Once invited, you’ll be able to access our Intigriti program, where you’ll f You can find the current scope and testing guidelines directly on our Intigriti page. - ## What We Expect We ask all researchers to follow these basic rules: From 8272ddc063ad015475a6fdc4d6d9d62de41f4ea1 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 14:24:01 +0200 Subject: [PATCH 12/13] Update responsible-disclosure-policy.md --- .../responsible-disclosure-policy.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index c7b49efb..7bb25157 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -32,8 +32,13 @@ Once invited, you’ll be able to access our Intigriti program, where you’ll f You can find the current scope and testing guidelines directly on our Intigriti page. ## What We Expect + We ask all researchers to follow these basic rules: +- Do not exploit vulnerabilities beyond what is necessary for proof-of-concept. +- Avoid impacting user data or privacy. +- No social engineering or physical testing. +- Keep your findings confidential until we’ve had a chance to fix the issue. If you play by the rules, we commit to: @@ -43,13 +48,13 @@ If you play by the rules, we commit to: - Never taking legal action against responsible researchers. ## Why Intigriti? -Using Intigriti benefits both sides: +Using Intigriti benefits both sides: - A secure and trusted platform for disclosure of vulnerabilities. - Structured communication and feedback. - Bounty rewards for accepted reports and easy payout. - Optional anonymity for researchers. - By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved. - Thanks for helping us make Hypernode more secure for all our users. - We appreciate your time, your skills, and your ethical approach. + +By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved. +Thanks for helping us make Hypernode more secure for all our users. We appreciate your time, your skills, and your ethical approach. From dfdc56514f1aa0b614fc0c3e555be6256639d820 Mon Sep 17 00:00:00 2001 From: Cipriano Groenendal Date: Tue, 19 Aug 2025 14:31:41 +0200 Subject: [PATCH 13/13] Update responsible-disclosure-policy.md --- .../security-policies/responsible-disclosure-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md index 7bb25157..1fe6b6b2 100644 --- a/docs/about-hypernode/security-policies/responsible-disclosure-policy.md +++ b/docs/about-hypernode/security-policies/responsible-disclosure-policy.md @@ -13,6 +13,7 @@ redirect_from: # Responsible Disclosure Policy Security is a core priority at Hypernode. We highly value the work of ethical hackers and security researchers who help us protect our systems and our users. If you’ve discovered a potential vulnerability, we would love to hear about it through the Intigriti platform. + **Important**: We only accept vulnerability submissions via our Intigriti bug bounty program. Reports sent via email or other means will not be eligible for a bounty. ## How to Report a Vulnerability