Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
rules:rule_10_no_attacks_against_or_from_the_instance [2022/11/20 00:05] dreadpir8robotsrules:rule_10_no_attacks_against_or_from_the_instance [2022/11/20 00:17] (current) – Add tip block dreadpir8robots
Line 14: Line 14:
   * Posting of malicious links/materials except where clearly identified as such and placed behind a content warning   * Posting of malicious links/materials except where clearly identified as such and placed behind a content warning
  
-<block info>This rule also encompasses using Infosec.Exchange in any way to impact other servers or people.</block>+This rule also encompasses using Infosec.Exchange in any way to impact other servers or people.
  
 ===== Other instances may provide security research environments ===== ===== Other instances may provide security research environments =====
-Conducting Mastodon vulnerability research/testing against Infosec.Exchange is not permitted.+Conducting invasive vulnerability research/testing against Infosec.Exchange is not permitted. However, as an Infosec-focused community, the intent here is not to discourage legitimate security research!
  
-If you are looking for somewhere to test vulnerabilities of Mastodon, [[faq:security:mastodon_vulnerability_testing|instances exist which are run and maintained for the purpose of providing security researchers with a hunting ground]].+<blockquote> 
 +There’s been a lot of discussion about a rule we recently instituted regarding security testing on the infosec.exchange instance. I understand the value or pen testing as much or more than most people, and I’m fully cognizant that pen tests are happening all the time and I’m not getting the report. I get it. But there are now 28,000 people using this service to communicate. I know there are vulnerabilities waiting to be discovered. Finding blog post fodder by fuzzing instances that are already running hot due to explosive growth is not super helpful.  But at the same time, I WANT that testing to happen.  
 + 
 +As a result, I am going to set up two instances tomorrow that only federate with each other. This is where I’d prefer legitimate security testing be performed. I’ll also be using it as the QA environment to test new updates and settings prior to deploying to the production instance. I’ll moderate signups because I don’t want it accidentally becoming fediverse 2.0 in the ongoing rush for the doors at twitter, but will accept anyone who wants to join, with clear indications that it’s a sandbox and should not be considered safe.  
 + 
 +Thanks for patience as we continue to find out way. 
 +<cite>[[https://infosec.exchange/@jerry/109368923347777577|@jerry]]</cite></blockquote> 
 + 
 +<block tip>If you are looking for somewhere to test vulnerabilities of Mastodon, [[faq:security:mastodon_vulnerability_testing|instances exist which are run and maintained for the purpose of supporting security researchers]].</block>