Rebellion Defense Awarded Contract to Support US Navy Project OvermatchBusiness Wire
Rebellion Defense is a new kind of defense company, built on the conviction that national defense is a shared responsibility. We take an unconventional approach to empower the mission of defense and national security through continual delivery of critical technology — because conventional methods aren't working.
The security and safety of our products and our customers' data is paramount. We work in an open partnership with the security community, and we recognize the critical work that ethical hackers bring to securing the internet as a whole. To that end, this policy contains our guidelines and promises to you, the community, about how we will cooperate with good-faith security researchers that are providing us such critical support.
This vulnerability disclosure policy covers all systems created or operated by Rebellion Defense on the internet. This includes not only our publicly facing websites but also our development, staging, and production environments.
In addition, this vulnerability disclosure policy covers all exposure of code, documentation, or data marked "REBELLION INTERNAL", except information shared with you or your company under NDA.
This vulnerability disclosure policy excludes any services run entirely by our customers, or third-party vendors (such as e-mail providers, marketing providers, etc.). If you are unsure whether a particular item is in scope, please contact us prior to testing it at email@example.com.
Please do not send emails to the form on our Contact Us page (https://rebelliondefense.com/contact) unless 100% necessary for a PoC.
The scope is also limited to technical vulnerabilities in Rebellion Defense owned and operated systems only; please do not try to social engineer or phish our staff, break into our offices, send us threatening letters cut from magazines, etc. (Though if you have a video of a particularly cool lockpicking technique, we'd love to see it!)
For your target list, our second-level domains are as follows:
Rebellion Defense, and its subsidiaries, will not engage in legal action against individuals who submit vulnerability reports in accordance with this policy.
To the extent legally possible, if you abide by this policy we promise to:
When conducting vulnerability research according to this policy, we consider this research to be:
You are expected, as always, to comply with all applicable laws. Complying with this policy means obeying certain guidelines. If you are not sure whether something you want to try is covered, reach out to us at firstname.lastname@example.org and we'll give you guidance.
You promise to:
To submit a vulnerability to the Rebellion Defense security team, please use our HackerOne portal at https://hackerone.com/rebellion-defense.
For questions, including questions about scope, please contact us at email@example.com.
We will triage submitted reports based on the CVSSv3.1 (https://www.first.org/cvss/calculator/3.1) score as determined by the security team, prioritizing fixes for higher scoring issues.
All issues should receive a response within 3 days (excluding US federal holidays and weekends) that includes our estimated CVSSv3.1 score, and our timeline for remediation. We will remain in communication with you throughout the entire remediation process, as well as coordinate any public disclosure you wish to make after the remediation is complete.
If we are unable to resolve communication issues, or you are not satisfied with the quality of our response, we will bring in a neutral third-party (CERT/CC (https://www.kb.cert.org/vuls/)) to assist.
Reports will ideally: