Rule 10: No attacks against (or from) the instance

You may not do anything which may impact confidentiality, integrity or availability of Infosec.Exchange services, the infrastructure on which the service relies, the users of the service, or their data.

Breach of this rule will lead to an immediate lifetime ban and may also include reporting to the relevant authorities.

Activities which would breach this rule may include, but are not limited to:

  • Denial of Service attack (DoS)
  • Distributed Denial of Service attack (DDoS)
  • Attempting to hack/exploit any software or hardware that compromises the service
  • Compromise/attempted compromise of any user or admin account/login
  • Impersonation of any user or admin
  • Posting of malicious links/materials except where clearly identified as such and placed behind a content warning

This rule also encompasses using Infosec.Exchange in any way to impact other servers or people.

Conducting invasive vulnerability research/testing against Infosec.Exchange is not permitted. However, as an Infosec-focused community, the intent here is not to discourage legitimate security research!

There’s been a lot of discussion about a rule we recently instituted regarding security testing on the instance. I understand the value or pen testing as much or more than most people, and I’m fully cognizant that pen tests are happening all the time and I’m not getting the report. I get it. But there are now 28,000 people using this service to communicate. I know there are vulnerabilities waiting to be discovered. Finding blog post fodder by fuzzing instances that are already running hot due to explosive growth is not super helpful. But at the same time, I WANT that testing to happen.

As a result, I am going to set up two instances tomorrow that only federate with each other. This is where I’d prefer legitimate security testing be performed. I’ll also be using it as the QA environment to test new updates and settings prior to deploying to the production instance. I’ll moderate signups because I don’t want it accidentally becoming fediverse 2.0 in the ongoing rush for the doors at twitter, but will accept anyone who wants to join, with clear indications that it’s a sandbox and should not be considered safe.

Thanks for patience as we continue to find out way. @jerry

If you are looking for somewhere to test vulnerabilities of Mastodon, instances exist which are run and maintained for the purpose of supporting security researchers.