Commit 9337ff5e authored by Clark's avatar Clark
Browse files

Adding terms of service. GPLv3, Safe harbor, private!

parent 9cdfa84d
#+TITLE: Terms of Service
#+SUBTITLE: Know Your Rights
This page /strives/ to include all relevant details to transparently inform you of your rights, protections, and expectations when using this blog.
The purpose of this blog is to encourage liberty, security, and privacy in tech. These Terms of Service intend to provide users the same liberties, security, and privacy that is promoted throughout this blog.
* ByteCache components
** Server
Owner, me: Clark Henry
This server is currently rented from: DigitalOcean
Data Center: San Francisco, CA
All of the following components are entirely self-hosted using Docker on this DigitalOcean server:
- Commento comments section
- GitLab
- Nextcloud
- Matrix homeserver
More details coming soon.
* License
This blog is published under the [[][GNU General Public License v3]].
Web Front End Components -
MathJax - Apache 2.0
jQuery - MIT
popperjs - MIT
Bootstrap - MIT
Tocify - MIT
Server Side Components -
Debian - Various /free software/
Docker - Apache 2.0
Traefik - MIT
Apache HTTPD - Apache 2.0
** Acceptable use
4 freedoms:
- the freedom to use the software for any purpose,
- the freedom to change the software to suit your needs,
- the freedom to share the software with your friends and neighbors, and
- the freedom to share the changes you make.
Free as in Freedom.
* TODO Data
More details on the following soon:
- Server
- Blog
- Commento
- GitLab
- Nextcloud
- Matrix homeserver
** Cookies
I do /not/ use cookies to track you. Commento, the commenting solution for this blog, embeds some cookies. These are entirely self-hosted.
** Web storage
Web storage [sessionStorage] is used to store theme preferences.
* Privacy policy
I do not share data with any third parties.
I /do/ track IPs accessing my Treafik reverse proxy via access logs and ssh access attempts. This is to investigate brute force attempts, potential threats, incidents, and unauthorized access. 10 MB of access log data is stored on a rolling basis. I /do not/ forward these investigation results to any third parties.
/I/ do not filter access to this website based on geolocation, routing method (e.g., Tor), user agents, or other filters. I /will/ filter access based on results of an investigation, or based on known lists of dangerous IPs.
* Safe harbor
CFAA DMCA security research safe harbor.
You are protected and encouraged to provide Full Disclosure of discovered vulnerabilities.
#+CAPTION: Recommended Disclosure Methods
| Location | Preference | Recommended Use Case |
| Comment section of | Recommended | To provide vulnerability feedback about content provided on /that page/ of the blog. |
| | | |
If you prefer, you may Responsibly Disclose the vulnerability to me first, in which case, please email me at [[][]].
** Summary
- I want you to fully disclose vulnerabilities, and don't want researchers in fear of legal consequences because of good faith attempts to comply with this policy. I cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask me before engaging in any specific action you think _might_ go outside the bounds of this policy.
- If your security research as part of this policy violates certain restrictions elsewhere in my site, these safe harbor terms permit a limited exemption.
** Safe Harbor Terms
To encourage research and responsible disclosure of security vulnerabilities, I will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. I consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). I waive any potential DMCA claim against you for circumventing the technological measures I have used to protect the applications in the scope of this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not me), I cannot bind that third party, and they may pursue legal action or law enforcement notice. I cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.
You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this policy.
Please contact me before engaging in conduct that may be inconsistent with or unaddressed by this policy. I reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contacting me before engaging in any action is a significant factor in that decision. If in doubt, ask first!
** Third party safe harbor
If you submit a report which affects a third party service, I will limit what I share with any affected third party. I may share non-identifying content from your report with an affected third party, but only after notifying you that I intend to do so and getting the third party's written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report. I will not share your identifying information with any affected third party without first getting your written permission to do so.
Please note that I cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of this policy. Refer to that third party's policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on my part to defend, indemnify, or otherwise protect you from any third party action based on your actions.
That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this policy, and you have sufficiently complied with this policy (i.e. have not made intentional or bad faith violations), I will take steps to make it known that your actions were conducted in compliance with this policy.
** Limited waiver of other site polices
To the extent your security research activities are inconsistent with certain restrictions in other policies in these sites but are consistent with the terms of this policy, I waive those restrictions for the sole and limited purpose of permitting your security research under this policy. Just like above, if in doubt, ask me first!
* Legal
I am not a lawyer. This policy has not been reviewed by a lawyer. I cannot guarantee you legal protection.
* Warrant Canary
- The date of issue of this canary is July 8, 2020.
- No warrants have ever been served to me with regard to the data or traffic served by any subdomains to the domain.
- I plan to publish the next of these canary statements in the first month of 2021. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation.
** Proof of freshness
date -R -u
| Wed | 08 Jul 2020 05:30:02 +0000 |
curl -s '' |\
python3 -c 'import sys, json; print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
: 0000000000000000000663a777c01fb41285194b8549b9c175d5951df5ef6e04
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment