|
|
|
|
|
|
by patio11
4676 days ago
|
|
|
So good news and bad news, bad news first: There doesn't appear to be a Firebase security contact page where you spell out how to get in touch with you if a researcher discovers something like this. Industry standard practice is, for better or worse, if you do not have that page then any available textarea is an acceptable method for communication with you about security vulnerabilities in your software. The good news: you can trivially address this by adding one page in your CMS, calling it "Security", writing a few sentences of copy, and adding a) an email address which is monitored, b) a promise to write back, and c) (optional) a PGP key. Some good examples: http://www.twilio.com/docs/security/disclosure http://37signals.com/security-response http://technet.microsoft.com/en-us/security/ff852094.aspx P.S. This advice is broadly applicable to everyone here who owns or helps to manage a software company. |
|
|
I'll add one now.