Security Information

At Sunshine, we take the security of our platform and your data very seriously. This page outlines our security practices and provides information on how to report security vulnerabilities.

Our Security Measures

We implement a variety of security measures to maintain the safety of your personal information and scooter data:

  • All sensitive data is encrypted in transit using TLS/SSL.
  • MQTT connections are secured with authentication and authorization.
  • Multi-factor authentication for administrative access.
  • Strict access controls and principle of least privilege.

Security Vulnerability Disclosure Policy

We appreciate the work of security researchers in improving the security of our open source platform. If you believe you've found a security vulnerability in Sunshine, we encourage you to notify us. We will work with you to resolve the issue promptly.

How to Report a Vulnerability

Please send vulnerability reports to security@rescoot.org. Please include the following information:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any suggestions for mitigating the issue
  • Whether you would like to be credited for the discovery (and if so, how you would like to be identified)

Our Disclosure Process

When you report a vulnerability to us:

  • We will acknowledge receipt of your report within 72 hours.
  • We will provide an initial assessment of the report within 5 business days.
  • We will keep you informed about our progress in addressing the issue.
  • We will notify you when the vulnerability has been fixed.
  • We will publicly acknowledge your responsible disclosure (if desired).

Responsible Disclosure Guidelines

We request that you:

  • Provide us reasonable time to address the vulnerability before disclosing it publicly (we suggest at least 90 days).
  • Make a good faith effort to avoid privacy violations, destruction of data, or interruption of our services.
  • Do not access or modify user data without explicit permission.
  • Act in good faith to avoid unnecessary disruption to our services.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.

Security Updates

We regularly update our systems and software to address emerging security threats. Security updates are prioritized based on severity and potential impact. As an open source project, we encourage community contributions to security improvements.

Scope

Our security disclosure policy covers:

  • The Sunshine application code
  • Our API endpoints
  • MQTT broker configuration
  • Authentication and authorization mechanisms
  • Data storage and processing

Contact Information

For security-related inquiries or to report a vulnerability, please contact:

Email: security@rescoot.org