Security

From Neos Wiki
Revision as of 14:57, 13 January 2022 by Aesc (talk | contribs) (Marked this version for translation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Other languages:
English • ‎日本語 • ‎한국어

Neos takes the security of its products and services seriously. If you believe you've found a security issue or problem with Neos then please report it to us as described below.

Reportable Issues

Generally the following types of issues are things that we are looking for:

  • Personal Data / Information Gathering
  • See our notes below on Private Data
  • Currency Theft / Manipulation
  • Gaining Access to a User's Computer / Privilege Escalation
  • Neos Cloud Issues etc.
  • Permission System breaches and bypasses
  • Avatar, World and Object Stealing & Ripping
  • As defined in the Neos Guidelines
  • Intentional Neos Crashes & World Crashes*

* Given the Beta nature of Neos, crashes are quite common; we usually will not award a bounty for crashes. We still, however, want to hear about them so please report them. See Issue Bounties for more information.

This is not an exhaustive list and you should use your best judgement when making a report. If an issue bothers you please consider reporting it. We would rather know about an issue then not.

Reporting Security Issues / Exploits

Never report security issues through public means such as:

  • GitHub Issues
  • The Neos Discord
  • Conversations in Public Neos Sessions
  • Twitter and Other Social Media

Please open a security report on our Moderation Ticket system by using the "Report an Exploit" option.

When submitting a report please ensure you include as much information as possible. Good examples of things to include are:

  • What you've found?
  • How did you find it?
  • How serious do you think it is?
  • If any other users witnessed the discovery or are aware of it.
  • Logs
  • Replication Steps
  • Screenshots
  • Videos
  • A link or URL to a replication item.

You should also indicate if you'd like to opt out of being credited for this report / discovery. When we resolve issues we may credit you in the change logs unless you opt out. Opting out will not affect your ability to receive a reward.

Reporting Rules / Guidelines

These guidelines are not intended to supersede or to overrule the general Neos Guidelines but are designed to give you some additional guidance in the area of security issues.

  1. We will not ban or apply any account restriction against you for reporting security issues. Reporting issues is the right thing to do and we want to encourage you to do this.
  2. If you require other users or their data to help you reproduce an issue, ensure that you get consent from them before proceeding.
  3. Do not publicly disclose/share or encourage the use of issues that you find and/or report.
  • This includes demonstrating, "showing off", advertising etc the issue.
  • Using/demonstrating an issue in public with the goals of harassing, disrupting or scaring users may lead to account restrictions under our harassment guidelines.
  1. Avoid testing, reproducing or investigating issues in public sessions or sessions in which you are not the host.
  2. Once an issue has been resolved you may discuss the issue publicly if you would like.
  • When doing this remember to follow all other Neos guidelines and to keep commentary professional and respectful of Neos and its community.
  • Don't brag or boast about the issue.

Private Data

Due to Neos' Peer to Peer infrastructure for sessions and flexibility/openness in terms of "in Neos" development, it can be unclear what we class as private data.

To clarify this a little, a list of common data that we do NOT consider private is listed below:

  • Username
  • User ID
  • Machine ID
  • IP Address
  • Steam ID
  • Used with Steam Networking Sockets and Rich Presence
  • Discord ID
  • Used with Discord Rich Presence

Although this information is not considered private, using or acquiring it in a way which breaches any other Neos Guidelines may still lead to account restrictions.

Reporting Process

Once a report has been submitted to our ticket system you should receive the following responses:

  1. Acknowledgement - A response from our ticket system should let you know that we've received your ticket.
  2. Further Responses - A Neos Representative may reach out with some additional questions or clarifications to help us to triage and work on your issue.
    • Please work with this representative in providing as much information as you can and answering their questions.
    • Working with Neos on your issue will help us reproduce it and fix it sooner.
  3. Resolution - After the issue is resolved you will receive an additional message acknowledging that this issue is resolved.

Example Report

We have an example report which was submitted by the community and lead to a fix. It has been anonymized and presented to you to provide an example of what we're looking for.

Issue Bounties

When reporting issues to Neos, we may give out rewards or incentives for reporting security issues. The rewards are in the form of CDFT(Community Developer Fund Token) which you can read more about on our Neos Whitepaper.

We've decided to reward in CDFT as this allows us to provide rewards that will grow as Neos does. When the price of NCR increases with Neos so will the real world value of your reward. This allows us to provide much larger rewards when you consider their long term value.

The amount of CDFT awarded, will vary depending on a number of factors including(but not limited to):

  • Severity of Issue
  • Complexity of the Issue
  • Quality of Report

Additionally, a reward may not be issued in all cases. Some reasons that may cause a reward to not be issued are:

  • Invalid Issues
  • Issues that have the same root cause as a previous issue.
  • Issues that have been previously reported by another user.
  • Issues that the Neos Team is aware of and plan to cover as a part of larger roadmapped items.
  • Issues that are not classified as Security related or Exploitable.
  • Issues that are submitted anonymously.
  • If you'd like an award but would like to remain publicly anonymous you can opt out of being credited with the discovery of an issue. When reporting the issue ensure that you include your name and the desire to remain publicly anonymous.

In all cases the Neos Team will discuss and deliberate what a suitable reward if any for a particular issue may be. Based on the consensus the reward will then be issued. A decision may take some time to reach. Do not expect an instant decision.

It is important to remember that this reward is an incentive and reward for your reports, it is not intended to be a competition, race or to provide a salary. We may change, update, remove or add to this bounty at any time.

Any conduct relating to this program which breaches the regular Neos Guidelines may result in a forfeiture of any rewards and a potential exclusion from reward considerations in the future.

Reward Amount

After deliberation and discussion with the Neos Team, a choice to reward a bounty may result in an award that is between 5000 and 10000 CDFT. A reward is not guaranteed.

Multiple issues that are reported may also strengthen your regular application for CDFT should you have one.

Please do not submit a CDFT application for each report made and please do not submit an application just for your security reporting activities.

Group / Team Rewards

Should you be working as a group or as a team, please indicate this in your original report. In the event of a reward we will contact you so that your group/team can decide how to split the rewards.

Retroactive Rewards

If you have previously made reports, we will not be retroactively giving out rewards for these reports.

In these cases, we do encourage you to submit a regular CDFT Application if you do not already have an active one. Your historical security reports and current activity may be factored in to strengthen your application.

Please do not submit a CDFT application for each report made and please do not submit an application just for your security reporting activities.

Mods & Plugins

See our Mod & Plugin Policy.

This was copied from SECURITY.md on our GitHub on: 2021-09-08. It may be out of date. Check the original source to double-check.

Retrieved from "https://wiki.neosvr.com/index.php?title=Security&oldid=41462"