Differences

This shows you the differences between two versions of the page.

--- rules:rule_10_no_attacks_against_or_from_the_instance [2022/11/18 16:10] – cirriustech
+++ rules:rule_10_no_attacks_against_or_from_the_instance [2022/11/20 00:17] (current) – Add tip block dreadpir8robots
@@ Line 1: / Line 1: @@
 ====== Rule 10: No attacks against (or from) the instance ======
+You may not do anything which may impact confidentiality, integrity or availability of Infosec.Exchange services, the infrastructure on which the service relies, the users of the service, or their data.
-You may not do anything which may impact confidentiality, integrity or availability of Infosec.Exchange, the users of the service or their data.
+<block alert>Breach of this rule will lead to an immediate lifetime ban and may also include reporting to the relevant authorities.</block>
-You may not undertake any activity that would in any way put the confidentiality, integrity or availability of the servers, the users of the service or their data at risk.
+Activities which would breach this rule may include, but are not limited to:
-This may include, but is not limited to:
   * Denial of Service attack (DoS)
@@ Line 12: / Line 11: @@
   * Attempting to hack/exploit any software or hardware that compromises the service
   * Compromise/attempted compromise of any user or admin account/login
-  * Impersonation of any user or admin
+  * [[rules:09_no_dishonest_impersonation|Impersonation]] of any user or admin
   * Posting of malicious links/materials except where clearly identified as such and placed behind a content warning
-**Breach of this rule will lead to an immediate lifetime ban and may also include reporting to the relevant authorities.**
 This rule also encompasses using Infosec.Exchange in any way to impact other servers or people.
-If you are looking for somewhere to test vulnerabilities of Mastodon, a list of servers maintained for this are available at https://wiki.infosec.exchange/faq/security/mastodon_vulnerability_testing
+===== Other instances may provide security research environments =====
+Conducting invasive vulnerability research/testing against Infosec.Exchange is not permitted. However, as an Infosec-focused community, the intent here is not to discourage legitimate security research!
+<blockquote>
+There’s been a lot of discussion about a rule we recently instituted regarding security testing on the infosec.exchange instance. I understand the value or pen testing as much or more than most people, and I’m fully cognizant that pen tests are happening all the time and I’m not getting the report. I get it. But there are now 28,000 people using this service to communicate. I know there are vulnerabilities waiting to be discovered. Finding blog post fodder by fuzzing instances that are already running hot due to explosive growth is not super helpful.  But at the same time, I WANT that testing to happen.
+As a result, I am going to set up two instances tomorrow that only federate with each other. This is where I’d prefer legitimate security testing be performed. I’ll also be using it as the QA environment to test new updates and settings prior to deploying to the production instance. I’ll moderate signups because I don’t want it accidentally becoming fediverse 2.0 in the ongoing rush for the doors at twitter, but will accept anyone who wants to join, with clear indications that it’s a sandbox and should not be considered safe.
+Thanks for patience as we continue to find out way.
+<cite>[[https://infosec.exchange/@jerry/109368923347777577|@jerry]]</cite></blockquote>
+<block tip>If you are looking for somewhere to test vulnerabilities of Mastodon, [[faq:security:mastodon_vulnerability_testing|instances exist which are run and maintained for the purpose of supporting security researchers]].</block>