ethical-hacking-ethics

📁 igbuend/grimbard 📅 12 days ago

总安装量

周安装量

#49819

全站排名

安装命令

npx skills add https://github.com/igbuend/grimbard --skill ethical-hacking-ethics

Agent 安装分布

github-copilot 2

claude-code 2

mcpjam 1

command-code 1

pi 1

openclaw 1

Skill 文档

Ethical Hacking Ethics

Guidance for ethical hacking: bug bounties, pentesting, and security research.

When to Use This Skill

Participating in bug bounty programs (HackerOne, Bugcrowd, Intigriti, YesWeHack)
Conducting authorized penetration testing
Performing security research on your own systems
Evaluating legality of security testing activities
Creating vulnerability disclosure reports

DO’s – Always Do These

1. Obtain Explicit Authorization

Get written permission before testing any system you don’t own
Verify scope – know exactly what assets are authorized
Document authorization – keep records of written consent
Check safe harbor status – confirm program has safe harbor policy

2. Follow Platform Rules of Engagement

Read and understand program-specific rules before testing
Adhere to testing timeframes specified by the program
Use only authorized testing methods
Report through official channels only
Human-in-the-loop required: HackerOne requires human validation before submitting findings

3. Practice Good Faith Security Research

Access systems solely for good-faith testing, avoid harm to individuals/public, use findings to improve security.

4. Document Everything

Keep detailed logs of all testing activities
Capture evidence of vulnerabilities for reports
Record timeline of discovery and reporting
Document all communication with program owners

5. Practice Responsible Disclosure

Report vulnerabilities promptly through official channels
Allow reasonable time for remediation before disclosure
Coordinate disclosure with affected organization
Follow platform-specific disclosure guidelines

6. Respect Data Privacy

Minimize data access to only what’s necessary for testing
Don’t store or share personal data discovered during testing
Report data exposure vulnerabilities without exploiting them
Follow GDPR and local data protection laws

DON’Ts – Never Do These

1. Never Test Without Authorization

Never access systems without explicit permission
Don’t assume permission – verify scope explicitly
Never test “out of scope” assets even if you find them
Don’t exceed authorized access – stay within defined boundaries

Legal risk: CFAA (US) and CMA 1990 (UK) prohibit unauthorized access. Penalties include imprisonment.

2. Never Cause Harm

Don’t modify or destroy data during testing
Never create backdoors or permanent access mechanisms
Don’t disrupt services or availability
Never exfiltrate data beyond what’s necessary for proof

3. Never Blackmail or Extort

Never threaten to publish vulnerabilities for payment
Don’t use vulnerabilities for extortion
Never demand bounties as condition for not publishing
Result: Permanent platform ban + potential criminal charges

4. Never Disclose Prematurely

Don’t publish vulnerability details before remediation
Never share findings with third parties without permission
Don’t post proof-of-concept code publicly without coordination
Never disclose program existence for private programs

5. Never Use Deceptive Practices

Don’t impersonate authorized security researchers
Never falsify vulnerability reports or evidence
Don’t misrepresent your identity or affiliation
Never submit false reports for rewards

6. Never Violate Privacy Laws

Don’t access personal data beyond testing scope
Never store or share PII discovered during testing
Don’t bypass privacy controls beyond what’s necessary
Follow GDPR/data protection requirements

Scope Verification Checklist

Before beginning any testing, verify:

Authorization Document: Written permission to test?
In-Scope Assets: All authorized targets identified?
Out-of-Scope Assets: Know what’s explicitly prohibited?
Testing Methods: Required or prohibited techniques?
Time Restrictions: Designated testing windows?
Safe Harbor: Program has and honors safe harbor policies?
Reporting Channel: Know official vulnerability submission process?
Disclosure Policy: Understand when/how you can publish findings?

Authorization Types

Type	Authorization	Safe Harbor	Notes
Bug Bounty	Implicit via program	If offered	Follow program rules
Pentest	Written contract/SOW	Per contract	May require NDA
VDP	Program invitation	Varies	Usually no rewards
CTF	Competition rules	Within boundaries	Legal only in competition

Authorization Best Practices

Always get it in writing – verbal authorization is insufficient
Define scope explicitly – “everything except X” is too vague
Specify time boundaries – testing windows and deadlines
Include escalation procedures – what to do if issues arise

Responsible Disclosure Process

Validate – Reproduce issue, document PoC, assess severity, check for duplicates
Submit – Use official channels, include description + steps + impact + remediation
Coordinate – Allow validation time, respond to questions, agree on timeline
Verify – Confirm fix applied, test that vulnerability is remediated
Disclose – Per agreed terms (coordinated, limited, full, or non-disclosure)

Red Lines – Violation Severity

Severity	Violations	Consequence
Critical	Unauthorized access, data theft, service disruption, extortion, social engineering, physical breach	Permanent ban + legal action
Severe	Premature disclosure, prohibited techniques, third-party sharing, withholding details	Warnings + potential ban
Minor	Unintentional scope violation, incomplete reports, format issues	Education + warning

When to Stop and Escalate

Stop Immediately If:

Situation	Action
Outside scope	Halt, document, report, await guidance
Sensitive data exposure	Stop exploration, don’t download, report immediately
Service disruption (or near)	Stop, document, report, await instructions
Asked to stop	Cease all activities, get written confirmation

Escalate When:

Legal questions – Consult legal counsel
Disputes – Request platform mediation
Unresponsive programs – Follow platform escalation procedures
Criminal activity discovered – Report to authorities
Safety concerns – Escalate if human safety at risk

Legal Framework Summary

Jurisdiction	Law	Key Points
US	CFAA (18 U.S.C. Â§ 1030)	Prohibits unauthorized access. Van Buren (2021) narrowed scope.
UK	CMA 1990	No “good faith” defense. Section 1: up to 2 years. No safe harbor equivalent.
EU	GDPR	Legal basis required for data. Report breaches within 72 hours.

Other jurisdictions: Canada, Australia, Germany, France, Japan have similar laws. Research local laws before international testing.

References: CFAA | CMA | GDPR

Standards Compliance

Standard	Use Case	Reference
PTES	General pentesting (7 stages)	pentest-standard.org
OWASP WSTG	Web application testing	owasp.org/wstg
NIST SP 800-115	Government/compliance testing	csrc.nist.gov
OSSTMM	Metrics-based security testing	isecom.org

Platform Quick Reference

Platform	Safe Harbor	Disclosure	Key Requirement
HackerOne	Gold Standard (GSSH)	Program-specific	Human-in-the-loop validation
Bugcrowd	Disclose.io framework	Coordinated/Custom/Non	Secure POC sharing
Intigriti	Varies	Coordinated	GDPR compliance
YesWeHack	Varies	Program-specific	Follow program brief

Platform Docs: HackerOne | Bugcrowd | Intigriti | YesWeHack

Certifications Reference

Certification	Focus	Ethics Requirement
OSCP	Practical exploitation	Legal boundaries, documentation
CEH	Theory + practical	Code of ethics required
GPEN	Advanced pentesting	Legal/ethical training
CREST/CHECK	UK government schemes	Background checks, conduct codes
PCI-DSS	Cardholder data environments	Qualified assessor, documentation

References

Platforms: HackerOne Docs | Bugcrowd Docs | Disclose.io

Standards: PTES | OWASP WSTG | NIST SP 800-115

Legal: CFAA | CMA 1990

For detailed reference material, see the references/ directory.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台