Skip to content

Latest commit

 

History

History
937 lines (451 loc) · 23 KB

README.md

File metadata and controls

937 lines (451 loc) · 23 KB

Federacy Changelog

[1.2.0] , [1.1.2] , [1.1.1] , [1.1.0] , [1.0.0] , [0.0.12] , [0.0.11] , [0.0.10] , [0.0.9] , [0.0.8] , [0.0.7] , [0.0.6] , [0.0.5] , [0.0.4] , [0.0.3] , [0.0.2] , [0.0.1]


 

1.2.0 (February 4th, 2019)

Added

  • overview of what's next after /program setup [1.2.0-01]

  • explanatory copy to /programs and /researchers lists

  • privacy settings to /program profiles under "Visibility" tab [1.2.0-02]

  • quick access to Help Center in footer of homepage and user account menu [1.2.0-03]

  • hyperlink to new Federacy Blog in homepage footer

Changed

  • pagination controls hidden for lists with less than 10 records [1.2.0-04]

  • error notification visibility if issue resolved with a successful POST

  • /sign-in routing to /program page for team members added to a program during setup

  • "Vulnerability Disclosure Policy" tab abbreviated to "VDP" on /program profile

Removed

  • skills from /researchers list in summary card

  • "Sign in" and "Sign up" hyperlinks from the homepage footer

Fixed

  • pending invites not displayed immediately when created for existing /program

Design

  • mobile UI for /researchers page improved

  • visually separated filter controls from results for /researchers list

  • update "What we test" icons on homepage

Policies


 

1.1.2 (January 31st, 2019)

Added

  • form to homepage for scheduling a call [1.1.2-01]

  • more platform features to homepage

  • targets tested as "What we test" to homepage

Changed

  • platform description on homepage

  • position of "Featured on" section on homepage

  • table search speed improved for /reports inbox

Fixed

  • twitter hyperlink in footer to direct to @_federacy

  • top navigation responsiveness at ~1000px width

Design


 

1.1.1 (January 30th, 2019)

Added

  • pagination to /programs tables [1.1.1-01]

  • tagline field to /program profile [1.1.1-02]

  • agreements section to /account for quick reference of accepted policies [1.1.1-03]

Changed

  • tabbed navigation to selection box for mobile displays on /program profile [1.1.1-04]

  • placeholder copy for /program "Admins" & "Researchers" invitation fields.

  • selection field for filtering "All Programs" in /reports inbox to searchable [1.1.1-05]

Fixed

  • scrolling glitch present on /program profile at certain window sizes

  • "Awarded" total for multiple awards on a single report in /reports table

  • onscreen notification message missing after successful award POST

  • /payments history to display username of awarded researcher from user account after program deletion

  • fee-charging on award transactions for non-reusable sources

Security

  • session invalidated and user signed out after password reset

Known Issues

  • session not invalidated on email address change


 

1.1.0 (January 23rd, 2019)

Added

  • in-place editing for /program VDP with Markdown support [1.1.0-01]

  • /sign-up notification of existing user account

  • error notification during /program creation if slug is taken

  • usernames and gravatars of users invited to /program [1.1.0-02]

  • researchers can be invited to /program by email address

Changed

  • migrated from HTML to Markdown for VDP copy

  • updated_at attributes touched when children objects are updated/created

  • /program roles and scopes editable in-place [1.1.0-03]

Removed

  • /program setup access after program creation

  • program_name and slug editing within UI

Fixed

  • "All Programs" filter in /reports to include programs to which you have reported regardless of current role

  • resolution of URL redirection through /sign-in

  • payment history of reports awarded by you that were submitted to programs you are no longer active in

  • payment history of awards issued by your teammates

  • change periods to dashes in slug if present in program_name

  • /researcher profiles with null attributes are visible

  • submitted report can be viewed even if program has been deleted

  • program contract acceptance validation

Security

  • require ASCII-only URLs to mitigate IDN homograph vulnerabilities
    reported by reymarkdivino

  • stronger password validation throughout site to improve user security (HIBP integration) [1.1.0-04]

Design

  • mobile UI and copy tweaks

  • VDP beautification

  • redirection flow (routing) improvements upon /sign-in or revisiting / during session

  • information display and UX improvements for /researchers list and /researcher profiles

Policies

  • timeliness notice appended to new report email notification

  • user agreements and policies communicated during program setup and researcher onboarding available in help center

Known Issues

  • session not invalidated on email address or password change


 

1.0.0 (January 19th, 2019)

Added

  • program and researcher guided setup [1.0.0-01]

  • user sessions with httpOnly cookies & CSRF tokens

  • email address confirmation requirement

  • performance metrics & launch date in /programs list [1.0.0-02]

  • tabbed navigation to /program profiles

  • "known issues" editor to /program profiles [1.0.0-03]

  • payment handling for programs to issue awards [1.0.0-04]

  • new columns in /reports inbox

  • "payment history" feed to /payments [1.0.0-05]

Updated

  • "awards" table moved from VDP to its own section [1.0.0-05]

  • scopes table redesigned & editing simplified [1.0.0-06]

  • program roles reconfigured

  • filters applied in /reports inbox persist while browsing

  • weekly reporting cap lifted once researcher is "vetted" by system [1.0.0-07]

  • hyperlinked URLs in researcher's /report view

  • "password change" functionality moved into modal [1.0.0-08]

  • form field validations & alerts have been improved

  • new theme for /researcher profiles [1.0.0-09]

Removed

  • /network invites outside of programs

  • tabbed /program editor

  • wysiwyg VDP editor in program editor

  • /program gravatars

  • public visibility toggle in /program editor

  • payout options for researchers other than PayPal

  • waitlist for new program sign-up

  • subscription plans for private programs

Fixed

  • public visibility toggle in /profile editor

  • submitted report status displayed to the researcher

Security

  • various IDOR vulns identified and remediated
    reported by reymarkdivino

  • improperly repaired SPF misconfiguration remedied
    reported by japz

  • unsafe-inline resolved for CSP script-src & style-src
    reported by ali

Documentation

Known Issues

  • session not invalidated on email address or password change


 

0.0.12 (December 10th, 2018)

Added

  • Added more filters to /reports inbox. [0.0.12-01]

  • Added awarded column to /reports inbox tabular data.

  • Added ability for program maintainers to submit and triage their own reports.

Updated/Fixed

  • Fixed occasional empty status upon report creation.

  • Refined filtering of reports by status in /reports inbox.

Removed

  • Removed report submission button from /reports inbox.

Known Issues

  • A notification email indicating your password has been changed is triggered when any /account settings are updated.

  • The program visibility mechanics can be improved.

  • The reward interface of a program report can be improved.


 

0.0.11 (December 1st, 2018)

Added

  • Added internal admin controls and views.

  • Added unsaved changes alert when navigating from report.

  • Added notice about brevity to transactional emails.

Updated/Fixed

  • Moved program report field descriptions to tooltips. [0.0.11-01]

  • Addressed state issues after updating report severity or status.

  • Improved report editing interface.

  • Improved navigation from report back to /reports inbox.

  • Separated /account settings from /profile editor.

  • Fixed formatting of blog hyperlink on researcher profile.

  • Fixed website hyperlink redirect loop on program pages.

  • Changed formatting of original report to render line breaks.

Security

  • Fixed bypassing homograph attack using /@.
    reported by reymarkdivino

Known Issues

  • A notification email indicating your password has been changed is triggered when any /account settings are updated.

  • The program visibility mechanics can be improved.

  • The reward interface for a report can be improved.

  • Program maintainers do not have access to the report options panel for reports they submit to their own program.


 

0.0.10 (November 6th, 2018)

Updated/Fixed

  • Fixed formatting for program report when in read-mode.

Security

  • Made invitation codes single-use to prevent limit bypass.
    reported by reymarkdivino

  • Addressed homograph attack vulnerability.
    reported by reymarkdivino

  • Fixed invitation token leakage via referer header.
    reported by reymarkdivino

  • Remediated open redirect weakness.
    reported by ali

Known Issues

  • A notification email indicating your password has been changed is triggered when any user settings are updated.

  • Hyperlinks missing protocol in the url do not resolve to external website.

  • The program report editing experience can be improved.

  • The reward interface can be improved.


 

0.0.9 (October 24th, 2018)

Added

  • Added pagination to /researchers page.

  • Added field to select number of items displayed on /researchers page.

  • Added URL persistence through sign-in for authenticated routes.

  • Added container overflow control for description section of report content.

Updated/Fixed

  • Changed copy in various components and modules to improve UX.

  • Fixed form interaction and update notifications in /programs editor.

  • Improved responsive design of report pages on mobile devices.

  • Addressed report activity logging bug that occasionally posted incorrect action.

  • Fixed gravatar displayed for awarder of bounty in activity log of a report.

  • Updated program invite-related mailers with minor copyedits.

  • Switched mailers to send from [email protected] for better support handling.

Removed

  • Removed Create Program button from the UI for researchers.

  • Removed /network page access for inactive users.

  • Removed firing of notification mailers for a program's auto-generated example report.

Known Issues

  • A notification email indicating your password has been changed is triggered when any user settings are updated.

  • The reward interface can be improved.


 

0.0.8 (October 11th, 2018)

Added

  • Added section to the /profile editor below user settings for researchers to complete. [0.0.8-01]

  • Added /billing page with subscription plans.

  • Added public /researchers list for subscribers with search and filter functionality. [0.0.8-02]

  • Added public researcher profiles accessible from /researchers list for subscribers.

  • Added ability to invite a researcher to your /program from /researchers list and their corresponding profile page.

Updated/Fixed

  • Fixed /network table styling.

  • Renamed visibility field in /profile editor to clarify its function.

  • Moved visibility toggle from user settings to researcher profile section of /profile editor.

  • Updated users endpoint to include connected users through programs and reports.

  • Fixed missing user activation mailers.

  • Redesigned layout and styling for individual reports. [0.0.8-03]

  • Moved Award section to Reward action that opens a modal in individual reports.

  • Merged the comment system into a single module in individual reports.

  • Combined the submitted report and program's report into a single panel that is switchable via link.

  • Renamed Timeline to Activity in individual reports.

Removed

  • Removed role.gravatar from api/roles.

  • Removed ability for inactive users to send invitations through the /network page.

  • Removed ability for inactive users to make their profile public.

  • Removed ability for researchers to create programs.

  • Removed priority selection from individual reports.

Known Issues

  • A notification email indicating your password has been changed is triggered when any user settings are updated.

  • The reward user interface can be improved and does not account for swag rewards.


 

0.0.7 (September 16th, 2018)

Added

  • Added an award section to individual reports. [0.0.7-01]

  • Added user gravatars to the report assignment field.

  • Added important report-related email notification triggers.

  • Added /program scope selection to individual reports.

  • Added icons that indicate type of change to a report's activity log.

  • Added vue-lazyload to images on homepage to improve page load time.

  • Added redirect-ssl to improve SSL handling on older browser clients.

  • Added Web Font Loader to improve typeface handling.

  • Added URL redirection for /reports/:id upon successful /sign-in.

Updated/Fixed

  • Redesigned layout and styling for individual reports.

  • Implemented a friendlier report update interface. [0.0.7-02]

  • Merged the submitted report and program's report into a single view.

  • Moved the report comment system into a single view.

  • Renamed History to Timeline for a report's activity log.

  • Changed timestamp format for a report's activity log.

  • Provided a method to collapse a report's activity log.

  • Compressed homepage images with webp to load on smaller screens.

  • Floated form-response notifications to improve visibility.

  • Switched datetime handling from moment.js to date-fns.

Removed

  • Removed option to edit an original report after it has been submitted.

  • Removed user gravatars from the report's activity log.


 

0.0.6 (August 20th, 2018)

Added

  • Added a password strength indicator to the /sign-up page. [0.0.6-01]

  • Added Sentry for better error-tracking and real-time fixes.

  • Added Critical as a priority level option for /program scopes.

  • Added 'Featured On' section to the landing page.

  • Added Open Graph tags.

Updated/Fixed

  • Permitted Facebook and Twitter sharing from browser extensions.

  • Normalized /login to /sign-up and added redirect.

  • Fixed user=researcher differentiation in the join form on the landing page.

  • Desaturated logos on landing page, colorizing onHover.

  • Optimized images to improve landing page load-time.

  • Loosened input validation for /program name to allow ., & and +.

  • Improved validation for email address fields in auth forms.

  • Rearranged the 'invite to program' sections of the /program editor by hierarchy of role permissions.

  • Added error notification for exceeding invites while adding new users through the /program editor.

  • Updated /report comment style and added time since post.

  • Modified error notifications for edge cases to be more descriptive.

  • Fixed navigation from /programs to /reports to display inbox instead of the new report form.

  • Fixed a bug with adding and deleting roles.

  • Updated /report assignment to sync with API role changes.

  • Improved onboarding experience and emails.

  • Resolved rack-attack issue and re-enabled.

Removed

  • Removed public user search field from the 'invite to program' sections of the /program editor.


 

0.0.5 (August 12th, 2018)

Added

  • A chart displaying report count by severity level has been added to the /reports inbox. [0.0.5-01]

  • The scope tables for each /program utilizes a toggle to switch between in/out.

  • Added 404 page.

  • Soft deletion and soft dependency deletion for everything.

  • Sort scopes where they were missing (created_at asc).

  • Added a review process for programs to go public.

  • GET api/roles now returns user_ids.

Updated/Fixed

  • The scope section of /program has a slick new theme. [0.0.5-02]

  • Updated username and program name validation to limit types of characters accepted.

  • Fixed user.invited_by was not being set in some cases.

  • Fixed major issues with responsive mobile styling.

  • Fixed gravatars in /reports inbox to sync with assignee.

  • The CVSS rating module has been removed from all reports to simplify the submission process.

  • The required fields of a report can no longer be left empty or edited and resubmitted with blank content.

  • Fixed report assignment to allow selection of anyone given access within the program settings.

  • Fixed the visibility of new comments when a report is first reopened.

  • The /reports inbox now shows a custom message when returning zero results dependent on selected filter.

  • The login process has been optimized for faster load-time.

  • Implemented a fallback to ensure data is captured from the sign up form when the API is down.

Removed

  • Overloading of invitations to allow multi-use invitations (this means an invitation can only be used once).

  • Remediations, we'll circle back on this feature when we have time to do it justice.


 

0.0.4 (August 7th, 2018)

Updated/Fixed

  • New styling applied to /program profiles [0.0.4-01]

  • /program scopes moved from separate tabbed view to visible above the VDP

  • Copy changed in /program Rewards table from 'Vulnerability Type' to 'Vulnerability Level'

  • Made header sticky while scrolling /program VDP

  • Light style changes applied within the wysiwyg editor of the /program creation/update form

  • After submitting a report, you are now directed to the list of reports you have submitted instead of the dashboard's default view

Known Issues

  • CSP can be improved and tightened


 

0.0.3 (August 2nd, 2018)

  • First pass at /reports re-design [0.0.3-01]

  • Critical priority for reports

  • Sqreen for Content Security Policy and other headers for www.federacy.com

  • Vulnerability Disclosure Policy posted to github using the Creative Commons Attribution Share Alike license.

Updated/Fixed

  • Template VDP Rewards Copy and Table

  • Clean up /network and invitations list

Known Issues

  • CSP can be improved and tightened


 

0.0.2 (July 31st, 2018)

Added

  • Content Security Policy, CORs, and some denial of service mitigations for api.federacy.com

  • Password reset functionality

Removed

  • Points as a scope reward, because this functionality has not yet implemented

Updated/Fixed

  • Resolved ssues with invitations, roles, and reports

  • Improved policies, scopes, and routes to be more restrictive, and resolved a multitude of bugs created in the process

  • Improve email copy for invitations, activations, and signups

Known Issues

  • rack-attack ip tracking using proxy addresses instead of end-user

  • invitations have been overloaded to support a single invitation being used many times (for HN post)


 

0.0.1 (July 11th, 2018)

  • Private alpha launch on Bookface!