Urban Airship’s security policy provides guidelines for interaction between our company and security researchers. Upon discovering a security issue and communicating it with firstname.lastname@example.org, a researcher can expect a response within five days. If a researcher does not receive correspondence from someone at Urban Airship within those five days, they’re entitled to publicly disclose the security problem. However, we’d much prefer to work on fixing the security problem before the public disclosure.
Urban Airship is responsible for delivering status updates at least once every five days until the problem is resolved or a fix is scheduled for release. We ask for full participation from researchers during this period.
We aim to provide the best services we can in a highly secure fashion. We take security very seriously. Part of that is communication with the community at large. We’re providing this policy as a way to get in touch with us when researchers spot issues within our system. This gives researchers a way to give us feedback, and to act as a guide for communication between the researcher and Urban Airship.
Working with Urban Airship is, of course, a voluntary choice, and a choice that hopefully researchers respect and accept accordingly. The goal of following this policy, above all else, is education: for Urban Airship, for the researcher, our customers, and the community.
This hypothetical workflow illustrates the simple set of guidelines at work behind this policy:
- Researcher discovers a security threat
- Researcher documents the threat
- Researcher sends email to email@example.com with the details of the security issue
- Within five days, Urban Airship will responds to researcher with status regarding security issue and possible resolutions
- Every five days thereafter, Urban Airship is required to send a status update to the researcher, and to seek feedback on solutions
- When security issue has been satisfactorily resolved, researcher is welcome to publicly disclose finding
This is an open-ended dialogue. If there is anything missing, or if you’re just curious, please send us an email.