Reporting Vulnerabilities about Bramble

Please report any security vulnerabilities about Bramble or Brmbl.io by emailing us at security@brmbl.io. Please refrain from requesting compensation for reporting vulnerabilities.

If you are looking to discover vulnerabilities in Bramble, please email security@brmbl.io for details on rules of engagement, scope, and additional information. For example, www.brmbl.io is listed as out-of-scope.

Vulnerability Disclosure

All vulnerabilities will be made public via our blog 30 days after releasing the fix. We try and redact all information considered sensitive (such as cookies, tokens, data details). The only time we will make an exception and not make a vulnerability public is when it contains sensitive data which we are unable to redact or remove from the report.

Red Team Rules of Engagement

If you want to conduct red teaming against Bramble you will need written permission upfront. You can apply by emailing security@brmbl.io your plans and experience. You need to get a written authorization letter from our CTO. While you are engaged in red teaming activities you should coordinate with the Security Team so escalation (law enforcement, etc.) can be avoided. The Security Team will notify the Infrastructure Team as well as the Engineering Team so that awareness is maintained.

Public GPG Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: https://keybase.io/download
Version: Keybase Go 5.7.1 (linux)

xsFNBGFICeMBEADoHukHBYPqfKWQ839V/p/yMn0HEJGYDod5tLnBdKcN2GYFmHys
zfVWWObS5Rvu6uAN4/e8GeYwqC/b93v9YZO0IoIrqiAt+VQhjtw4zeiE9nReHrBN
BJ9PaaMuDywSsnrEe+BVNBFeAGxL5P5EgTGyvBwKq0zDLJpyyqrtNOMlN6qSgsRS
YtoSiTvo259F2t8+RhLBWc1xbA5KYrZy5TLccosG4Fz0Bdk9gFeIE68+YifPssln
amqpGDbeg/lEHfR5QQJaqLaLsTzX0np+Fn+EJz/IV/gR8I8v0gkkTu74+uXUR8Jp
9uXmzWrAIO9OzL++l3oLQiAFi7LZFtBJKe09SGr7f7oSWMg3S0Pmt//uGhvjHS4V
y8SfKQ5x9qAuVukrBFEt52SaI8ugGeBoLXRVNLpQc1dNHk92oK6KpJnkb8k3xzcN
FTGSi3TidlClRT1oudj06o8aJ9ZnC3e+RQGSfsYT/uTn5jzxQE8jY5yWbSI2EceX
ubZUc94jlh7IRkCaCVJtA+ju4mHLnRfBFkAjSebc6dBfVlX3Wog4x/F4uyRe44ws
JWasM6Su+QDpuMCooAvRHcAIl+q8M2w8a40SnbO3H9+4h406Z8amVqJUr+qSIVSv
v61DU3B6nbYr+FkLKX8/33pC7ZBGuyGBn4hKwbfyrH1NjoP3izXeGP4xYQARAQAB
zSRCcmFtYmxlIFNlY3VyaXR5IDxzZWN1cml0eUBicm1ibC5pbz7CwXgEEwEIACwF
AmFICeMJECmWy1zL/mZ0AhsDBQkeEzgAAhkBBAsHCQMFFQgKAgMEFgABAgAAgOYQ
ADgoe9I7eom5dZrsb68jyMnNfisABrIhkDi8+f5ulLf/usJ0dhEKk5eLncY+yEIp
9h+3ztLNSEllKrQAh/b8jSgQyTXtTFUhULnyx7gbWa6qy5LUz9JJbiEMFAIzeimR
ZFHR6BolFnkSJWMnW7aoZZaDLmH+U3SCv3Ps4oVoJuFznoAiyZ+Pb2ytsbrb/hkR
5j3+dFieYXqVjeomT2pM3a1iVPlfjJ5c/lZ9wcJzGVgfESP9DeZdCVl5eYIhL6uA
dnOAWRe5lc2jjZxa2SgfeAlhey4bt2FC4h84ltJmFW+9rOCkmpepzyJocTV5Y14X
ohfZ135Oo+/8UXt48KsVrzyiMl9udStW4otoJkZZF2cFoaYmqz6IZX2LC5fPz5Yq
TIxE+eIb0cot6pMdf3017L+xutAhCOwAhO4cQRKkDHA4nKoZKJyen/CFfl+ICiFf
5a9MWI79YaqOPkUncwpWWe4R3drpmjHIVBf9JZmmB4UKdfqotXtNk8J/k71wpv8V
TAW7BnwvPlTUSzVlmU6Y/w0lck8vsUxkdgoAuSUVU/TvEG3HHq5H3DQB6T+/Zme0
IYxAOVKPV8f7owmBt77ndXpapdnZaEMIrWetgDVDEyQt9y1Z8z1a4/8NdLavzSaf
ewb5WNgwAL3aWxZ9+DYHxSr/BiEHQTXWKb0Nslh6uOqwzsFNBGFICeMBEACxY9Ru
yky0nWG7c7lh4Y4z8nWyG8eTOxMhs6SUmnGuVJ2YBUZvk7/7yPcMcvBx1dYdfc5S
ISmw9t/OQkhlyJZZpdF905mfMKQLHg7r9i/R0VZ7sjrjtpTUBoHsEC/lUyFXIJJJ
DkyQnZInoyZdVZDy2s4rWq0uv/exhhQmYanZXU+ittOV6LegI/0X6qXL2Drjj7IA
B0Yc6YcAO4XERbISeQiXy5n6KMi91OOTETG1z1Zov+MJIJd4flf0omN0EsXp1FMi
q23MICFZnLgpoaX5hqQAlQC3c6QcouVySxwAUB6yyx91DYAKvrK5wTP0WYpI2fON
x1rgcfbpdPVTHNJSFioD1OdV7zttiKhenO7/5UkuqMvH/1ekfLe+gj1GTqm5bzjQ
H+rwiYNyNNyf6b59QjYW3sAOUvWIFp7TWoJqzD27Wye4btGtLvn4Zj7L2MW+XKiJ
tfd0/cpQxK67qukfBB2gCXtnYizUUMsJ9X8j6Jz+evqHDODIUMk9VW0ttMLmTg55
fash8ppcV5TU/pFOFRfjZe9IC+8qpy+ZiT2cIijwMe53RMkFJQkOMyITpKPDeXaS
TtBLEDNvsGG7NwyZ3XN9N9+wUfGckcMle4/eqzAC5tRLwp8ybBRB/eS0c7o4Qrqn
vVlodJGHBBblqjo2OaC9zx1nnQiJG2xS447JWwARAQABwsF1BBgBCAApBQJhSAnj
CRAplstcy/5mdAIbDAUJHhM4AAQLBwkDBRUICgIDBBYAAQIAAAyFEACtg3epS0It
IK83fLA44HUX+zte5qlVR0Q1Qzkdhx4jLCIinS3t+rCQz0rcS2oX056eaM0yAnN3
VGzcMKEy838/pv1pNIWNWr/HTm/e5jLSqZ5YSGqWwcFi3yd7Ty/WypF2/mxVeRvQ
tXK5Oq5mSCJc+abhmlpNAZo+Wh2btIzmSUGnNfLy1vys+Flm1ADhfRdsL42pbdYS
R6CY8xDSB+j7DkEnycH+WPRbgHMnwloVHf4inrQm754ivmpU+1JOIOyANh98MOdu
vyFZxhIAMxYbkFOoYZzy++XnQ8WOOaeLvo7EtfF/0V/nXO9a18Qb9S8nba0rTus4
hEEiwXryb9TmQPp4lBNKTXyqHwKidRHi7OMIIxN83FnZjPoFBwLXaWqfMZZy4W7e
oP/6X88e3tFYckG97+PMHbRdfrKnTKC9oXo6ze5jbsmEjPt0pAf4TeFeP623gYH+
8cZFDnvj+O3/ItMYjlB0kv/814JmSTR5jPD3C2mw9viOBm/3BYJnkfyDIR+4zdx3
T3os41AtdwgFIHaR+Twis40f5r5J36Nm25DpTO3YKl71P4VMnRMimZzP9X0kdQRU
Br5gYzUKQXsxe9FUH40DEHKng8hOFufPxHphRlngIggXPg1B9/800ckWPDljIdBE
XGS1MGo2d3qwIomDqZgmyvJ4/zSL++tNCg==
=lxG2
-----END PGP PUBLIC KEY BLOCK-----

Keybase

The PGP key above can be verified at our Keybase account @brmbl_security. Please note that our Keybase chat is not actively monitored.

Disclosure Guidelines for Vulnerabilities in 3rd Party Software

When a security vulnerability in some 3rd party product is discovered by Bramble team members the following disclosure guideline should apply:

  • The first priority is our users.
    • Therefore for any vulnerability discovered in a dependency of Bramble we’ll make sure our users are not affected.
  • For the following disclosure process our priority is to get the reported vulnerability fixed.
  • If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed.
    • If possible, we will verify the fix before it is being published.
    • In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited.
  • We aim for a fix within a 90 days deadline.
    • We will treat this as a soft deadline and help to meet the deadline when reporting.
    • We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.
  • Resulting advisories will be published in our blog