Introduction

Rebellion Defense is a new kind of defense company, built on the conviction that national defense is a shared responsibility. We take an unconventional approach to empower the mission of defense and national security through continual delivery of critical technology — because conventional methods aren't working.

The security and safety of our products and our customers' data is paramount. We work in an open partnership with the security community, and we recognize the critical work that ethical hackers bring to securing the internet as a whole. To that end, this policy contains our guidelines and promises to you, the community, about how we will cooperate with good-faith security researchers that are providing us such critical support.

Scope

This vulnerability disclosure policy covers all systems created or operated by Rebellion Defense on the internet. This includes not only our publicly facing websites but also our development, staging, and production environments.

In addition, this vulnerability disclosure policy covers all exposure of code, documentation, or data marked "REBELLION INTERNAL", except information shared with you or your company under NDA.

This vulnerability disclosure policy excludes any services run entirely by our customers, or third-party vendors (such as e-mail providers, marketing providers, etc.). If you are unsure whether a particular item is in scope, please contact us prior to testing it at security@rebelliondefense.com.

Please do not send emails to the form on our Contact Us page (https://rebelliondefense.com/contact) unless 100% necessary for a PoC.

The scope is also limited to technical vulnerabilities in Rebellion Defense owned and operated systems only; please do not try to social engineer or phish our staff, break into our offices, send us threatening letters cut from magazines, etc. (Though if you have a video of a particularly cool lockpicking technique, we'd love to see it!)

For your target list, our second-level domains are as follows:

  • moochirp.io
  • mooch.rip
  • rebellion.dev
  • rebelliondefence.com
  • rebelliondefense.com

Our Promises To You

Rebellion Defense, and its subsidiaries, will not engage in legal action against individuals who submit vulnerability reports in accordance with this policy.

To the extent legally possible, if you abide by this policy we promise to:

  • Extend Safe Harbor for your vulnerability research that is related to this policy;
  • Work with you to understand and validate your report, including a timely initial response to the submission;
  • Work to remediate discovered vulnerabilities in a timely manner; and
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

Guidelines

You are expected, as always, to comply with all applicable laws. Complying with this policy means obeying certain guidelines. If you are not sure whether something you want to try is covered, reach out to us at security@rebelliondefense.com and we'll give you guidance.

You promise to:

  • Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data:
    • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
    • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • Only interact with test accounts you own or with explicit permission from the account holder;
  • Do not engage in extortion;
  • Publicly disclose the details of the vulnerability only after receiving permission to do so from us, OR after 30 days from the last communication from us, whichever is sooner.

How To Submit

To submit a vulnerability to the Rebellion Defense security team, please use our HackerOne portal at https://hackerone.com/rebellion-defense.

For questions, including questions about scope, please contact us at security@rebelliondefense.com.

Reporting Details and Process

We will triage submitted reports based on the CVSSv3.1 (https://www.first.org/cvss/calculator/3.1) score as determined by the security team, prioritizing fixes for higher scoring issues.

All issues should receive a response within 3 days (excluding US federal holidays and weekends) that includes our estimated CVSSv3.1 score, and our timeline for remediation. We will remain in communication with you throughout the entire remediation process, as well as coordinate any public disclosure you wish to make after the remediation is complete.

If we are unable to resolve communication issues, or you are not satisfied with the quality of our response, we will bring in a neutral third-party (CERT/CC (https://www.kb.cert.org/vuls/)) to assist.

Reports will ideally:

  • be in well-written English
  • explain how you found the bug, your guess at the impact, and any recommendations for remediation
  • include proof-of-concept code, if possible
  • indicate whether you would like public credit