From a7cac8694c19942e15aa0d085b7cd643ee00af78 Mon Sep 17 00:00:00 2001 From: Devin Weaver Date: Mon, 30 Apr 2018 13:29:23 -0400 Subject: [PATCH 1/4] Add Security PGP public key This is the signing key for security.txt and the key that researchers can encrypt to if they feel the need to keep communication secret. The private (secret) is stored in Keybase.io to the newhavenio.admins team where only a select few members have access and that membership list can be adjusted over time. --- .well-known/pgp-key.txt | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .well-known/pgp-key.txt diff --git a/.well-known/pgp-key.txt b/.well-known/pgp-key.txt new file mode 100644 index 0000000..0d29101 --- /dev/null +++ b/.well-known/pgp-key.txt @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFrnR38BCADKf6DncKTrzqtnaXadNVLlDoYiA5TWAvtATrjzplPWGrAYaOoo +u1Ls4f/RFqJWMjEz+jDiy7YOnrYKxWFAHkrvQWTMSNLEJsg5IJsVq7QVjchje37d +5/zNFLsTJrcxR6Niqom6RWQTraqhbaVx34ZL/Pmu21s3DPedyNIwG+WMV/ESiRj5 +GlansUA2SQF06kCnB1KAN8asIuluaSq3hLANQcDKksfPKlDyIPp41A7FMtDvj3xO +rrSIqxIBYZsxUJ1jGENGG485ZaTAmTQx9dto9pCe0IzZRzhYjzgyeWdLNi0dzoTK +Xm9RZG37PLkI9LQkIWgktywtUsIzwR+n35kJABEBAAG0Kk5ld0hhdmVuSU8gU2Vj +dXJpdHkgPHNlY3VyaXR5QG5ld2hhdmVuLmlvPokBPQQTAQgAJwUCWudHfwIbAwUJ +AeEzgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRALqX8kxTsK/+hjB/4tnmpU +Vws0EHjcxxy7q62UEX/jcHfyVdLOrKm67yqOeWZkrflCtZgNzv24BFGw0jnrA/Sr +TbhxzmouGr41aduvtF5RXNv5533mzVrUA+N6DIawsao6eFgADOkdXpNUEN5VU7Z0 +O0T48L28VjsF8xpq6q92RhLG4lDWP7UNGZA/tf6qqj6QY7AOZ6JBAtmQOFn+hjkz +6yQWGc9sE110xn0nbpyU1ElMczn2saZcJ8HTfoKqQ1yLA0uAnGoDbGM+T/pSXNNK +0dRrzRr3lBWykqNudCecmpoLXu+GnHxLFZcnhWdR8XTB6tiS9MUKngcP5pZOBo9p +cL5BeSS5p8prrGHQiQIcBBABCAAGBQJa50j+AAoJEOvZnJLednyKO2cP/1g7oucK +TJrqlAxa9sXPWgdkwIb+/JT/v2TE7ug+YchCN4wrNwYpuO2zrgiPYP+Y3ZEG+W86 +Z4jmfSEtKWir7undvvJ+AHQNAJHBxzYuD3P8bcHleJRGv1yrG7yesu0xoB6gO/gr +vqBJvLql8qWgkZG4tr53AVkSYqZPZ+W1xP7B/n43kM6AB1X6zl91poIZ2Xmt9/qd +2bonlWBpSMPc8CH4BkeG0eIrixzV0Havjls3QlrD1HqSrjCzckS1o1CcFkbuRppE +udighCBf9z0TdZJYD08ZCXpUmsF8FfulJ9BmwkNWTLrmBKNkublzNgiDTNxVHYK8 +ZyXoBdY56MK7yBr/07xGy9Uh0zauNE/hiPD5Fiy47vRKl68M/1n/hlZkAT3fQ6Q1 +SzVvYxNBLXG1KyRYIRT8hpGclVA4mXy0r8jLfM3cj+48eNK7I0ohr7cj1wJHVXoY +XT/i9BZEkI2dLoyHw2vpSgRwWAIK4LMUgaf51ye0dNVC8JNCLyBgQ872+YI7GMFI +PkU/lmVVw4uyQ/lWJIHfYb0UmLM3dkNPdfUObJ6q7nk7gCwQVhKNqt8xMYMJQjpx +Az79jCs5k18zIoZfskU3fXn9FEmGDVAZNItxFjSvQjBgrqZV+5ox3yeS1Bssokkn +sUkgQ0MFwhmpj91jiCIlMrP8XNiATsfGYSvUuQENBFrnR38BCADypMNPBAt6qTdz +kIzkGY5cplVnPJYTT/4I1UbW5LddR6GmC13Luv2NUylXW8Ed8Xcqff+d6zJhZ5C4 +Y2DiOz95WhR7wmgZxjna1hsmGjZCfvJmE6mtFf5Zlcaax6yZjSh9KqfcA3zKySfA +6zwf6Fa4w4nHK9WJ14dwA70K3uDKdGTyWRYG46nNLvsT+e9C8DdldAClS9Jnt33L +KQVLybariqBH8VgU1+A6IUpdCimVq22/UQ26ifrIv7GhYcJpAKgSKP2CCXyrXisL +AAQ5g//xtdvXzOBn6s+MeYl92b8HPGm2zlCodb8u6LjyooyNY9yq/Ls8G7glhJ6R +9rc/KxeZABEBAAGJASUEGAEIAA8FAlrnR38CGwwFCQHhM4AACgkQC6l/JMU7Cv+4 +hAf/U/TdJKwlN7VG5ueiWIpzUxQ/xALeX9jTwb0iuT+ZuIh2V9WR/3kx7oInZXnB +MJ8IQq1ByUm0tC50pUOnAIOxDFDtxLglnCEjTmWhycQC296xBg9ZiDVkyew3IQQN +CMldew5FXgNNHWiWhAC+nIDtNzJU7K1yopMsRdr9evsdWVjKn0qUUBPzND36XMWv +Tb0XayjQxSV76RxVAfjpXx3Iekcvhe+H5mZuxApH+TBdc4ZaDS5sHZn2QN9knYRi +N/Qtksmeww2hyafXBp38HXbRUZB6qMbm6gQSFIMrmnvPjnQ0ikGFrPqNPbG7+cPN +wPfVWXC7y45nCYFyZFmENqzfTg== +=M5du +-----END PGP PUBLIC KEY BLOCK----- From 1ef18078ae32f064557ff8e75c9d2abe74efc162 Mon Sep 17 00:00:00 2001 From: Devin Weaver Date: Mon, 30 Apr 2018 13:31:31 -0400 Subject: [PATCH 2/4] Add security.txt (signed) This is based on the template provided by https://securitytxt.org --- .well-known/security.txt | 5 +++++ .well-known/security.txt.asc | 10 ++++++++++ 2 files changed, 15 insertions(+) create mode 100644 .well-known/security.txt create mode 100644 .well-known/security.txt.asc diff --git a/.well-known/security.txt b/.well-known/security.txt new file mode 100644 index 0000000..37dd31c --- /dev/null +++ b/.well-known/security.txt @@ -0,0 +1,5 @@ +Contact: mailto:security@newhaven.io +Encryption: https://newhaven.io/.well-known/pgp-key.txt +Acknowledgements: https://newhaven.io/acknowlegements.html +Policy: https://newhaven.io/privacy-policy.html +Signature: https://newhaven.io/.well-known/security.txt.asc diff --git a/.well-known/security.txt.asc b/.well-known/security.txt.asc new file mode 100644 index 0000000..e329da7 --- /dev/null +++ b/.well-known/security.txt.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABCgAGBQJa51hEAAoJEAupfyTFOwr/tsAH/RhQBTs+wrqeXF4Dk0k6A5A3 ++GAtn63bsN37K0USVCsi9SYIL+6zETEGkH25MSaxSY5X24DZo0aYfHodztjWHq30 +j5bR340D4VFYH8ff3lgIEBqC2dkqAj1/N1jknKDQLaHvOTdYKhqlFtyA3Wbmc7Oj +I38pQbdhVqrYhOXUaRdgli035Pvli+lSp3NFzryVFD3U3MrnnVvFuLNuuuILi+I1 +7SqgtQPURdL2ONw1MCAxPtOI5UE+5nb/bbXvrvtvIbzKUlmOE/9zPXc0fFG0XxmQ +JNqg2TiVuEmL6zhiXgbp1s/qbe3ZMt9cOOd50zqxzg0fqVTiK6QffXrhNFmqxgc= +=MLKN +-----END PGP SIGNATURE----- From 5d6aef11f7bc29e0b7d59d0af2e9eae3914603c8 Mon Sep 17 00:00:00 2001 From: Devin Weaver Date: Mon, 30 Apr 2018 13:32:55 -0400 Subject: [PATCH 3/4] Add an acknowlegements page This is an optional idea but highly encouraged by the specifications. --- acknowlegements.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 acknowlegements.md diff --git a/acknowlegements.md b/acknowlegements.md new file mode 100644 index 0000000..3d46136 --- /dev/null +++ b/acknowlegements.md @@ -0,0 +1,14 @@ +--- +layout: page +title: Acknowledgements +--- + +We would like to thank the following for their generous contributions to this +site: + +* [@sukima](https://tritarget.org/) + +We also would like to acknowledge the following for their help in identifying +and mitigating security flaws: + +* [@sukima](https://tritarget.org/) - Adding `security.txt` From b2015fe78aeeafd9dbda0535bd0264df12ab6680 Mon Sep 17 00:00:00 2001 From: Devin Weaver Date: Mon, 30 Apr 2018 13:33:26 -0400 Subject: [PATCH 4/4] Add Privacy Policy page I copied the policy I have on my static blog site https://tritarget.org/#Privacy%20Policy --- privacy-policy.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 privacy-policy.md diff --git a/privacy-policy.md b/privacy-policy.md new file mode 100644 index 0000000..4690768 --- /dev/null +++ b/privacy-policy.md @@ -0,0 +1,46 @@ +--- +layout: page +title: Privacy Policy +--- + +If you require any more information or have any questions about our privacy policy, please feel free to [contact us by email][ContactInfo]. + +At NewHaven.IO we consider the privacy of our visitors to be extremely important. This privacy policy document describes in detail the types of personal information is collected and recorded by NewHaven.IO and how we use it. + +!! Log Files + +Like many other Web sites, NewHaven.IO makes use of log files. These files merely logs visitors to the site - usually a standard procedure for hosting companies and a part of hosting services's analytics. The information inside the log files includes internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date/time stamp, referring/exit pages, and possibly the number of clicks. This information is used to analyze trends, administer the site, track user's movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable. + +!! Cookies and Web Beacons + +NewHaven.IO does not use cookies. + +!! ~DoubleClick DART Cookie + +NewHaven.IO does not use ~DoubleClick ad service. + +!! Our Advertising Partners + +NewHaven.IO does not use any ad services. + +!! Children's Information + +We believe it is important to provide added protection for children online. We encourage parents and guardians to spend time online with their children to observe, participate in and/or monitor and guide their online activity. NewHaven.IO does not knowingly collect any personally identifiable information from children under the age of 13. If a parent or guardian believes that <> has in its database the personally-identifiable information of a child under the age of 13, please contact us immediately (using the contact in the first paragraph) and we will use our best efforts to promptly remove such information from our records. + +!! Online Privacy Policy Only + +This privacy policy applies only to our online activities and is valid for visitors to our website and regarding information shared and/or collected there. This policy does not apply to any information collected offline or via channels other than this website. + +!! Consent + +By using our website, you hereby consent to our privacy policy and agree to its terms. + +!! Security + +We ask that security researchers disclose vulnerabilities or concerns to us [by email][ContactInfo]. We are interested in an open dialog about any security issues or concerns. We expect responsible disclosure of at least 30 days of initial contact. We will make any discoveries public on or before any agreed upon grace period and will [acknowledge any researchers involved in discovery and/or mitigations](acknowlegements.html). + +!! Update + +This Privacy Policy was last updated on: . Should we update, amend or make any changes to our privacy policy, those changes will be posted here. + +[ContactInfo]: mailto:security@newhaven.io