xv6.ovh

Security Policy

This document outlines our security policy for responsible disclosure of vulnerabilities in xv6.ovh services.

Scope

This security policy applies to all services and infrastructure under the xv6.ovh domain, including:

• Web services and applications
• DNS infrastructure
• Email services
• Network infrastructure
• Any subdomains or related services

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

1. Email: Send details to security@xv6.ovh
2. Encryption: Use our PGP key for sensitive information
3. Include: Detailed description, steps to reproduce, and potential impact
4. Timeline: Allow us 90 days to address the issue before public disclosure

What We Consider Vulnerabilities

We are interested in reports of:

• Remote code execution
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication bypass
• Privilege escalation
• Information disclosure
• Denial of service (DoS)
• DNS-related vulnerabilities
• Email security issues

What We Don't Consider Vulnerabilities

Please do not report:

• Social engineering attacks
• Physical attacks
• Denial of service attacks that don't require exploitation
• Issues requiring physical access to devices
• Vulnerabilities in third-party services we don't control
• Issues already reported and being worked on

Our Response Process

1. Initial Response: Within 48 hours of receiving your report
2. Assessment: We'll evaluate the vulnerability and its impact
3. Fix Development: We'll work on a fix and keep you updated
4. Testing: We'll test the fix thoroughly
5. Deployment: We'll deploy the fix and notify you
6. Recognition: We'll add you to our acknowledgments page

Safe Harbor

We provide safe harbor for security researchers who:

• Act in good faith
• Follow responsible disclosure practices
• Don't access or modify data beyond what's necessary
• Don't disrupt our services
• Don't violate any laws

Recognition

Security researchers who responsibly disclose vulnerabilities will be:

• Listed on our acknowledgments page
• Given credit for their findings (if desired)
• Appreciated for helping improve our security

Contact

For questions about this policy or to report vulnerabilities:

• Email: security@xv6.ovh
• PGP Key: Download here
• General Contact: Contact page

Back to Site

← Return to xv6.ovh