Security Disclosure

New Harbor accepts third party vulnerability disclosures under the following set of rules. If you have questions about any of this, please don't hesitate to reach out to vulnz@newharbor.co.

1. Good Faith

We're going to reply in good faith; we appreciate that you're helping us improve our product, and while we're not asking you to take on this work we also know that third party vulnerability helps make everybody safer.

2. Duty to Report

If you find something, you have to report it to us within 1 business day and you agree not to further exploit or publicize your findings. If we agree with your finding, you agree not to communicate with anyone besides us about the finding until after 90 days (or the next business day after a 90 day window).

3. It's Our Call

We're going to make the ultimate decision around the severity of findings; we know something about this stuff, and while we appreciate your thoughts on how to rank a finding, we're also going to make the final call on that.

4. We're not guaranteeing payment

We know, the whole reason you're doing this is for the money, though admittedly it's also kinda fun. We're not in a position to make guarantees around what we will pay out, or the amounts. Even if we agree with your finding, and even if we make fixes to our product, we are not in any way obligated to pay you for it. With that being said, we're not expecting free work either. So if we feel that a reported vuln is a Critical, High, or potentially Medium, we'll figure something out. If it's a Low, or Informational, we're going to appreciate your report but we're probably not going to pay for it. We also want to note that we have good relationships with other folks in the security world, so if you provide findings and want to be connected to official programs, etc. that's probably going to be something we're going to be happy to help with.

5. Severity Definitions

Ok, here's how we're currently thinking about the severity of reports. These are examples, and we're not guaranteeing any report falls into any of these categories, even if listed here; there may be a case where something that is listed as a Critical here is more of a Medium, and vice versa!

a.
Critical: Broken access control, exposed customer private data, session token theft, permission escalation.
b.
High: IDOR, Broken access control, Stored XSS and CSRF with significant impact; exposed customer private data, Internal SSRF and Lateral Authentication Bypass.
c.
Medium: IDOR, Reflective XSS and CSRF with impact.
d.
Low: SSL misconfigurations; XSS and CSRF with limited impact.
e.
Informational: Something you get from a publicly available scanning tool that takes 30 seconds to find, anything that is not realistically weaponized, anything that is so esoteric to be unlikely to be used, anything we already know about.

6. Reproducibility

We have to be able to reproduce any report on our own in order to validate it.

7. Third Party Vulnerabilities

Some reports may actually relate to vulnerabilities in third party tools; if that's the case, we'll refer you to the third party (and in some cases may even assist you with reporting if you want).

8. Eligibility

Some folks may not be eligible to receive payment from us due to laws and other things; we make the final determination on that.

9. Consolidation of Reports

Sometimes, we may determine that multiple reports are actually one single underlying issue. So we may combine multiple reports into a single report.

10. Submission Process

Send all reports via email to vulnz@newharbor.co. If you feel a report is particularly sensitive, please contact this email for out of band communication instructions.