At Sourcegraph we think that security is an enabler for the business. Sourcegraph is committed to proactive security, and addressing vulnerabilities in a timely manner. We approach security with a can-do philosophy, and look to achieve product goals while maintaining a positive posture, and increasing our security stance over time.
- Proactively improve the security of our application and infrastructure.
- Define, plan, and prioritize security work that needs to be done (and then go do that work).
- Directly contribute to our codebase (i.e., Go, TypeScript, Kubernetes, Docker, Google Cloud Platform) to secure our application and deployments, and help other engineers on our team make the necessary changes.
- Respond to security vulnerability reports
- Increase our security posture by running traditional security tools such as vulnerability scanners, SAST, and DAST tools.
- Create a culture of security at Sourcegraph that empowers all of our engineers to write secure code.
Please see this document
Reporting a Vulnerability
If you think that you have found a security issue, please email us at [email protected]. We will reply to reports within 1 business day to acknowledge that we received them and will strive to send you regular updates on our progress until the issue is resolved. You may request an update by replying to the existing email thread. We will read, but may not respond to low quality or spammy reports (e.g. those produced by automated tooling).
We provide monetary rewards, up to $10,000 USD, for security vulnerability reports. The actual reward amount is determined based on the number of customers impacted, the difficulty of exploiting the vulnerability, and the severity of the consequences (e.g. service disruption, data leakage, reputational damage to Sourcegraph) of a successful exploit.
We will send payment to a valid PayPal account after the issue is confirmed fixed or 90 days from the original report, whichever happens first. We will ask you for the name and country associated with your PayPal account.
We may choose to not issue a reward if any of the following apply:
- You engage in disruptive behavior on sourcegraph.com itself (e.g. spamming our system with requests, fake accounts, denial of service). Sourcegraph is open source software, so you can install a copy yourself and test against that instead.
- You publicly disclose a vulnerability before we confirm that it is OK to do so. We want to give our customers time to upgrade to a patched version before public disclosure.
- You spam us with duplicate and/or low quality vulnerability reports (e.g. copy/pasting generic issues from automatic scanning tools).
- You are a current or former teammate at Sourcegraph (e.g. employee, contractor, intern).
- You are friends or family with a current or former teammate at Sourcegraph.
How we respond to security vulnerability reports
When we receive a report of a security vulnerability, a member of our security team determines if a reported vulnerability should be investigated by an engineer.
If so, a member of our security team will file a vulnerability report in sourcegraph/security-issues and follow the checklist in the issue template.
If not, a member of our security team will respond to the report to notify the reporter why we are not acting on the report.
Thank you for your report. Could you please provide us with $INFOX, $INFOY, and $INFOZ so we can investigate this further?
Thank you for your report. We will not be taking further action on this report because $REASONS.