Vulnerability Disclosure Policy and Scanning Information
Customer-Facing Intent
At BeeHive, safeguarding our users' information and data is our top priority. We understand that despite our best efforts, security vulnerabilities can still emerge. That's why we highly value the security community's role in identifying and reporting such vulnerabilities. This policy outlines our comprehensive approach to receiving, evaluating, and promptly addressing security vulnerability reports, while fostering collaboration with the security community to effectively tackle any issues that may arise.
Reporting a Vulnerability to Us
If you have stumbled upon a security vulnerability on our website or one of our services, we strongly urge you to inform us promptly. To do so, kindly complete the form provided below, and provide as much detail as possible about the vulnerability, including step-by-step instructions on how to reproduce it and any additional information that may aid us in comprehending and resolving the issue.
We kindly request that you refrain from disclosing any information regarding the vulnerability to anyone other than BeeHive until we have had sufficient time to address the matter. In the event that you choose to disclose it, we reserve the right to withhold any requested compensation if we determine that your means, manner, or method of public disclosure was done in bad faith. Within 24 hours of receiving your report, we will acknowledge its receipt and provide you with an estimated timeline for when you can expect a more detailed response.
How We Address Vulnerability Reports
Upon receiving a report about a security vulnerability, we will promptly assess its validity and severity. If we determine that the report is indeed valid, we will take immediate action to address the vulnerability.
Throughout the process, we will keep you informed and provide regular updates on the status of the issue. Should we require any additional information or assistance from you, we will reach out to you directly.
Our team will diligently work on providing a solution for the vulnerability and thoroughly test it before implementing it on our website. Once the fix has been deployed, we will notify you of the resolution and, with your consent, may even credit you for your invaluable assistance in identifying and reporting the vulnerability.
Considerations of Legal Conditions and Confidentiality
We take the utmost care in upholding the confidentiality and privacy of the information you share with us. Rest assured that we will not disclose your identity or any details of the vulnerability report without your explicit consent, unless required by law.
Furthermore, we kindly request that you adhere to all applicable laws and regulations when reporting any security vulnerability. It is important to refrain from engaging in any activities that may disrupt, damage, or compromise our systems or the data of our valued users.
Scope of Policy
This policy specifically pertains to the beehive.systems website and its associated services. It's important to note that other products, platforms, or services may have their own unique vulnerability disclosure policies, which will be conveniently accessible on their respective websites.
Seeing scans from us?
Our intelligence platform sniffs thru the internet frequently looking for indicators of vulnerability or compromise, and alerts our Security Operations Center when vulnerabilities of certain measures are detected. If you spot one of our agents, it will bear a header User-Agent similar to the following...
User-Agent: BeeHive Intelligence Sensor (Friendly Security Bot)
User-Agent: BeeHive Threat Scanner (Link)
User-Agent: BeeHive Security Sensor (Org)
Due to the offensive nature of this bot, some Web Application Firewalls may, emphasis on may, report it's presence on your network as a "Brute Force". This is an unfortunate side effect of WAF's not enjoying route testing for vulnerable API's. Rest assured if you've been delivered a notification like this, you are not on the receiving end of a legitimate Brute Force attack, but simply a healthy shakedown for lazy-yet-public misconfiguration. We equally would rather you wake up to an angry-but-automated MOD Security email, than an empty database.
These scans are environmentally non-exploitive, lead by web traffic to your domain resolved by our DNS Security service, our Security Client, or manual researcher hunting. Depending on how a customer or business has asked for their environment to be secured, some websites may be unavailable for access until verified safe as a source. These leading security scans, will identify themselves as belonging to us. You're welcome to setup a pattern to identify and block this User-Agent; we don't intend to change it; but customers behind secured environments may not be able to access your website at all if you do this, not to mention it's sometimes seen as sketchy to block security services that are solely facing to a customer.
These security scans, while you may view them as intrusive, serve two purposes that have equal benefit.
For our customers, to whom it is our duty to guard and watch for threats, this allows us a quicker collection method to give your environment that happy check mark if it indeed deserves it. At the same time, should your environment be insecure, or compromised, we may be your front-line warning that it's even happened.
If we detect vulnerability or compromise?
We'll tell you, you can trust in that.
If we detect a specific class of malware running on an endpoint, you'll be alerted and given a threat report. How you choose to remediate is up to you, it's not as if it's in our abilities to turn back time.
If we detect live vulnerabilities that our team triages as "High Risk" or "Critical Risk", we'll make multiple attempts to contact any or all responsible parties, including by phone, email, or mail. If your organization participates with a HackerOne Disclosure Program, we'll bypass that riffraff and automatically submit it for triage to your organization's HackerOne.
Please God don't make us send you mail.
Once disclosed, we'll share a Notification of Disclosure on our Press Center, which will include information about the class and severity of the vulnerabilities disclosed, along with the "report" disclosure window. Once this window expires, we will disclose the full report including the vulnerability, impact, and additional information related.
These notices of disclosure serve for transparent public record, should the website, service, or business ever suffer from a breach connected to said vulnerability that causes customer loss.
