MyOpenVDP
A web application to securely disclose vulnerabilities.
Compatible with Quasar UI v2 and Vue 3.
Structure
- /app – Ready-to-use MyOpenVDP application
- /ui – standalone npm package
- /app-extension – Quasar app extension
How it works
- Someone finds a vulnerability or a security bug on your website or product
- They go to your MyOpenVDP application
- They describe the vulnerability
- Their report is encrypted in their browser
- You receive the report via e-mail
- The Internet is safer!
Setup
Required: SMTP configuration
Nodemailer is used to send the encrypted vulnerability disclosures via e-mail.
You must provide the path to a JSON file that contains the Nodemailer configuration via the BACKEND_MAIL_CONFIG_FILE
environment variable.
An example configuration file would be:
{
"host": "smtp.example.com",
"port": 587,
"secure": false,
"auth": {
"user": "username",
"pass": "password"
}
}
See Nodemail SMTP transport for more configuration options.
Required: PGP keys
In order to encrypt vulnerability reports, you must provide the path to a directory that contains at least one file containing a PGP public key via the FRONTEND_FORM_PGP_KEYS_PATH
environment variable.
See this excellent example of how to generate a GPG key.
If there are multiple files in the directory, their full name, with extension, will be used to show in a drop-down list in the form. For example, for a directory with the following structure:
/pgpkeys
|- Key1
|- Key2
The drop-down list will display 2 items Key1
and Key2
.
If there is only one file in the directory, the drop-down list will no be displayed.
All files in the directory must contain one PGP public key similar to:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGKxuBsBDAC0qZMBlhYaa2ruhp88GwkMuCOrW1rQY6DfkORvKjetwvwxMwBJ
[... more data ...]
ACLhTZ0Y9GKAN1+V0KB6dqgE3MHZAw1NZRDTnlfN3M345fj/Ypg09gw5KzAAtFVa
rCHIDOh1bOdGsOYVS9BaSuhPtwf/zYAC9VA+mI2qzQJji7thrBsx
=wicI
-----END PGP PUBLIC KEY BLOCK-----
Usage
Docker image
Run
docker run \
-v $(pwd)/config/backend/nodemailer.json:/config/nodemailer.json \
-v $(pwd)/config/frontend/pgpkeys:/config/pgpkeys \
-e BACKEND_MAIL_CONFIG_FILE=/config/nodemailer.json \
-e FRONTEND_FORM_PGP_KEYS_PATH=/config/pgpkeys \
-p3000:3000 yeswehack/my-open-vdp
Then go to http://localhost:3000.
Build
docker build -t my-vdp -f docker/Dockerfile .
Customize mail and webpage
Advanced configuration can be achieved by setting the following environment variables:
Backend
PORT
: HTTP port of the application (default:3000
)BACKEND_MAIL_CONFIG_FILE
: (required) path to the SMTP configuration fileBACKEND_HTTP_ACCESS_CONTROL_ALLOW_ORIGIN
: value of the HTTP headerAccess-Control-Allow-Origin
for all api response (default:*
)BACKEND_CAPTCHA_ENABLE
: boolean (true
/false
) flag to enable the form captcha (default:true
)BACKEND_CAPTCHA_CRYPT_PASSWORD
: password for captcha keys encryption (default: random UUID4, changes at every start)BACKEND_CAPTCHA_EXPIRATION_MS
: expiration delay of the captchas, in milliseconds (default:3600000
)BACKEND_MAIL_REPORT_TEMPLATE_TEXT_FILE
: path to the file containing the template for the HTML version of the e-mails sent when a vulnerability is disclosed (see default)BACKEND_MAIL_REPORT_TEMPLATE_HTML_FILE
: path to the file containing the template for the plain-text version of the e-mails sent when a vulnerability is disclosed (see default)BACKEND_MAIL_REPORT_SUBJECT_TEMPLATE
: subject of the e-mails sent when a vulnerability is disclosed (default:New Vulnerability Disclosure
)BACKEND_MAIL_REPORT_FROM
: value of the “from” field of the e-mails sent when a vulnerability is disclosed (default:my-open-vdp@[hostname]
)BACKEND_MAIL_REPORT_TO
: recipient of the e-mails sent when a vulnerability is disclosed (default:security@[hostname]
)
Frontend
FRONTEND_FORM_PGP_KEYS_PATH
: (required) path to the directory containing the PGP public keys used for encrypting the vulnerability disclosuresFRONTEND_VUE_URL_JS
: url of Vue.js global JavaScript build file (default:https://cdn.jsdelivr.net/npm/[email protected]/dist/vue.global.prod.js
)FRONTEND_QUASAR_URL_JS
: url of Quasar global JavaScript build file (default:https://cdn.jsdelivr.net/npm/[email protected]/dist/quasar.umd.prod.js
)FRONTEND_QUASAR_URL_CSS
: url of Quasar global CSS build file (default:https://cdn.jsdelivr.net/npm/[email protected]/dist/quasar.prod.css
)FRONTEND_MAIN_TITLE
: HTML title of the index/form page (default:VDP
)FRONTEND_FORM_ATTACHMENT_MAX_SIZE_BYTES
: maximum size of individual uploadable attachments in the form, in bytes (default:2097152
)FRONTEND_FORM_ATTACHMENT_ALLOWED_EXTENSIONS
: allowed attachment files extensions list, separated by spaces (default:txt jpeg jpg png gif tiff bmp
)FRONTEND_FORM_LOGS_AUTO_SCROLL
: boolean (true
/false
) flag to enable autoscrolling of the logs when submitting a vulnerability (default:true
)FRONTEND_FORM_TIMESTAMP_FORMAT
: format of the timestamp of the submission logs, see dateformat (default:yyyy/mm/dd HH:MM:ss.l
)FRONTEND_FORM_NOTIFICATIONS_POSITION
: default position of the notifications (default:top
; allowed values:top-left
,top-right
,bottom-left
,bottom-right
,top
,bottom
,left
,right
,center
)FRONTEND_FORM_SUCCESS_NOTIFICATION_POSITION
: position of the notification shown when a report has been successfully submittedFRONTEND_FORM_ERRORS_NOTIFICATION_POSITION
: position of the notifications shown when an error occursFRONTEND_FORM_DISCLOSURE_POLICY_NOTIFICATION_POSITION
: position of the notification shown when the user click on the “Disclosure policy” linkFRONTEND_PARTIAL_HEAD
: path to an HTML file that will be rendered in the<head/>
element of the form pageFRONTEND_PARTIAL_BODY_BEFORE_FORM
: path to an HTML file that will be rendered in the<body/>
element of the form page, just before the formFRONTEND_PARTIAL_BODY_AFTER_FORM
: path to an HTML file that will be rendered in the<body/>
element of the form page, just after the formFRONTEND_PARTIAL_BODY_AFTER_SCRIPT
: path to an HTML file that will be rendered in the<body/>
element of the form page, after the form initialization script
License
MIT (c) YesWeHack [email protected]