🔒 Security Policy

🔒 Security Vulnerability Disclosure Policy

📋 Scope

This security policy applies to vulnerabilities found in:

• The csoh.org website - our public-facing community website
• Our web infrastructure - server configurations, DNS, SSL/TLS, hosting
• Community resources - publicly hosted materials and documentation

❌ Out of Scope

The following are NOT covered by this policy:

• Third-party services we link to (Zoom, PayPal, etc.)
• Third-party security tools, labs, or CTF platforms listed in our resources
• User-generated content shared during community sessions
• Social engineering attacks against community members
• Theoretical vulnerabilities without proof of exploitability

🐛 What We Consider a Security Vulnerability

We take security seriously and welcome reports of genuine security issues, including:

• Cross-Site Scripting (XSS)
• SQL Injection or other injection attacks
• Server-Side Request Forgery (SSRF)
• Authentication or authorization bypass
• Sensitive data exposure (e.g., exposed credentials, API keys)
• Security misconfigurations with exploitable impact
• Content Security Policy (CSP) bypasses

📢 How to Report a Vulnerability

If you discover a security vulnerability on csoh.org, please report it responsibly:

Preferred method: Email us at admin@csoh.org or reach out to one of the community organizers during our Friday Zoom session.

What to include in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity
• Any proof-of-concept code or screenshots (if applicable)
• Your suggested remediation (optional but appreciated)

⏱️ What to Expect

As a volunteer-run community, our response times may vary:

• Acknowledgment: We aim to acknowledge receipt within 7 days
• Initial assessment: We will assess the issue and communicate our findings within 14 days
• Resolution timeline: Depends on severity and complexity - we'll keep you updated
• Public disclosure: We appreciate coordinated disclosure and will work with you on timing

🤝 Our Commitment

If you report a security issue in good faith, we will:

• Not pursue legal action against you
• Work with you to understand and validate the issue
• Keep you informed about our progress toward resolution
• Publicly acknowledge your contribution (if you wish) after the issue is resolved

🎯 Responsible Disclosure Guidelines

When researching and reporting vulnerabilities, please:

• Do not access, modify, or delete data that doesn't belong to you
• Do not perform actions that could harm our website availability (DoS/DDoS)
• Do not disclose the issue publicly until we've had a chance to address it
• Do not exploit the vulnerability beyond what's necessary for validation
• Do test only against csoh.org (not our members or users)
• Do stop testing if you encounter user data and report immediately

🏆 Recognition

While we don't offer bug bounties (we're an all-volunteer community with no funding), we deeply appreciate responsible disclosure. With your permission, we'll:

• Publicly thank you in our community
• Add your name to a security researchers acknowledgments section (coming soon)
• Offer a recommendation/testimonial for your professional profile

📜 Security.txt

This policy is also published in machine-readable format according to RFC 9116:

https://csoh.org/.well-known/security.txt

📞 Contact

For security-related inquiries:

• Email: admin@csoh.org
• Community: Reach out to organizers during our Friday Zoom sessions