A web application to securely disclose vulnerabilities.

Overview

MyOpenVDP

A web application to securely disclose vulnerabilities.

docker npm npm github

Compatible with Quasar UI v2 and Vue 3.

my-open-vdp

Structure

  • /app - Ready-to-use MyOpenVDP application
  • /ui - standalone npm package
  • /app-extension - Quasar app extension

How it works

  • Someone finds a vulnerability or a security bug on your website or product
  • They go to your MyOpenVDP application
  • They describe the vulnerability
  • Their report is encrypted in their browser
  • You receive the report via e-mail
  • The Internet is safer!

Setup

Required: SMTP configuration

Nodemailer is used to send the encrypted vulnerability disclosures via e-mail.

You must provide the path to a JSON file that contains the Nodemailer configuration via the BACKEND_MAIL_CONFIG_FILE environment variable.

An example configuration file would be:

{
  "host": "smtp.example.com",
  "port": 587,
  "secure": false,
  "auth": {
    "user": "username",
    "pass": "password"
  }
}

See Nodemail SMTP transport for more configuration options.

Required: PGP keys

In order to encrypt vulnerability reports, you must provide the path to a directory that contains at least one file containing a PGP public key via the FRONTEND_FORM_PGP_KEYS_PATH environment variable.

See this excellent example of how to generate a GPG key.

If there are multiple files in the directory, their full name, with extension, will be used to show in a drop-down list in the form. For example, for a directory with the following structure:

/pgpkeys
 |- Key1
 |- Key2

The drop-down list will display 2 items Key1 and Key2.

If there is only one file in the directory, the drop-down list will no be displayed.

All files in the directory must contain one PGP public key similar to:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGKxuBsBDAC0qZMBlhYaa2ruhp88GwkMuCOrW1rQY6DfkORvKjetwvwxMwBJ
[... more data ...]
ACLhTZ0Y9GKAN1+V0KB6dqgE3MHZAw1NZRDTnlfN3M345fj/Ypg09gw5KzAAtFVa
rCHIDOh1bOdGsOYVS9BaSuhPtwf/zYAC9VA+mI2qzQJji7thrBsx
=wicI
-----END PGP PUBLIC KEY BLOCK-----

Usage

Docker image

Run

docker run \
    -v $(pwd)/config/backend/nodemailer.json:/config/nodemailer.json \
    -v $(pwd)/config/frontend/pgpkeys:/config/pgpkeys \
    -e BACKEND_MAIL_CONFIG_FILE=/config/nodemailer.json \
    -e FRONTEND_FORM_PGP_KEYS_PATH=/config/pgpkeys \
    -p3000:3000 yeswehack/my-open-vdp

Then go to http://localhost:3000.

Build

docker build -t my-vdp -f docker/Dockerfile .

Customize mail and webpage

Advanced configuration can be achieved by setting the following environment variables:

Backend

  • PORT: HTTP port of the application (default: 3000)
  • BACKEND_MAIL_CONFIG_FILE: (required) path to the SMTP configuration file
  • BACKEND_HTTP_ACCESS_CONTROL_ALLOW_ORIGIN: value of the HTTP header Access-Control-Allow-Origin for all api response (default: *)
  • BACKEND_CAPTCHA_ENABLE: boolean (true/false) flag to enable the form captcha (default: true)
  • BACKEND_CAPTCHA_CRYPT_PASSWORD: password for captcha keys encryption (default: random UUID4, changes at every start)
  • BACKEND_CAPTCHA_EXPIRATION_MS: expiration delay of the captchas, in milliseconds (default: 3600000)
  • BACKEND_MAIL_REPORT_TEMPLATE_TEXT_FILE: path to the file containing the template for the HTML version of the e-mails sent when a vulnerability is disclosed (see default)
  • BACKEND_MAIL_REPORT_TEMPLATE_HTML_FILE: path to the file containing the template for the plain-text version of the e-mails sent when a vulnerability is disclosed (see default)
  • BACKEND_MAIL_REPORT_SUBJECT_TEMPLATE: subject of the e-mails sent when a vulnerability is disclosed (default: New Vulnerability Disclosure)
  • BACKEND_MAIL_REPORT_FROM: value of the "from" field of the e-mails sent when a vulnerability is disclosed (default: [email protected][hostname])
  • BACKEND_MAIL_REPORT_TO: recipient of the e-mails sent when a vulnerability is disclosed (default: [email protected][hostname])

Frontend

  • FRONTEND_FORM_PGP_KEYS_PATH: (required) path to the directory containing the PGP public keys used for encrypting the vulnerability disclosures
  • FRONTEND_VUE_URL_JS: url of Vue.js global JavaScript build file (default: https://cdn.jsdelivr.net/npm/[email protected]/dist/vue.global.prod.js)
  • FRONTEND_QUASAR_URL_JS: url of Quasar global JavaScript build file (default: https://cdn.jsdelivr.net/npm/[email protected]/dist/quasar.umd.prod.js)
  • FRONTEND_QUASAR_URL_CSS: url of Quasar global CSS build file (default: https://cdn.jsdelivr.net/npm/[email protected]/dist/quasar.prod.css)
  • FRONTEND_MAIN_TITLE: HTML title of the index/form page (default: VDP)
  • FRONTEND_FORM_ATTACHMENT_MAX_SIZE_BYTES: maximum size of individual uploadable attachments in the form, in bytes (default: 2097152)
  • FRONTEND_FORM_ATTACHMENT_ALLOWED_EXTENSIONS: allowed attachment files extensions list, separated by spaces (default: txt jpeg jpg png gif tiff bmp)
  • FRONTEND_FORM_LOGS_AUTO_SCROLL: boolean (true/false) flag to enable autoscrolling of the logs when submitting a vulnerability (default: true)
  • FRONTEND_FORM_TIMESTAMP_FORMAT: format of the timestamp of the submission logs, see dateformat (default: yyyy/mm/dd HH:MM:ss.l)
  • FRONTEND_FORM_NOTIFICATIONS_POSITION: default position of the notifications (default: top ; allowed values: top-left, top-right, bottom-left, bottom-right, top, bottom, left, right, center)
  • FRONTEND_FORM_SUCCESS_NOTIFICATION_POSITION: position of the notification shown when a report has been successfully submitted
  • FRONTEND_FORM_ERRORS_NOTIFICATION_POSITION: position of the notifications shown when an error occurs
  • FRONTEND_FORM_DISCLOSURE_POLICY_NOTIFICATION_POSITION: position of the notification shown when the user click on the "Disclosure policy" link
  • FRONTEND_PARTIAL_HEAD: path to an HTML file that will be rendered in the <head/> element of the form page
  • FRONTEND_PARTIAL_BODY_BEFORE_FORM: path to an HTML file that will be rendered in the <body/> element of the form page, just before the form
  • FRONTEND_PARTIAL_BODY_AFTER_FORM: path to an HTML file that will be rendered in the <body/> element of the form page, just after the form
  • FRONTEND_PARTIAL_BODY_AFTER_SCRIPT: path to an HTML file that will be rendered in the <body/> element of the form page, after the form initialization script

License

MIT (c) YesWeHack [email protected]

You might also like...
Source code for a deployed web application

lisper.ch-Ekagra: The full source code for the webapp @https://lisper.ch/Ekagra (online yoga lessons) Why? This is not by any means a showcase of my p

It is a web application made with VueJs by using Covid19 API.

It is a web application made with VueJs by using Covid19 API.

A simple ecommerce web application built using nodejs, typescript, firebase, AWS S3 & DynamoDB on the backend. With vuejs and vuetify on the frontend.
A simple ecommerce web application built using nodejs, typescript, firebase, AWS S3 & DynamoDB on the backend. With vuejs and vuetify on the frontend.

A simple ecommerce web application built using nodejs, typescript, firebase, AWS S3 & DynamoDB on the backend. With vuejs and vuetify on the frontend.

Dozzle is a small lightweight application with a web based interface to monitor Docker logs
EveryThought is a web application designed to help you identify and recognize your emotions through daily guided prompts and journaling.

EveryThought ☁ EveryThought is a web application designed to help you identify and recognize your emotions through daily guided prompts and journaling

Web Application created in vue

Rick And Morty App Application web created in Vue 2 with the rest service Rick And Morty API Demo https://testrickandmorty.netlify.app/#/ Steps to run

The web application creates a digital movie poster display for use on LED screens
The web application creates a digital movie poster display for use on LED screens

Digital Movie Poster (DMP) The web application creates a digital movie poster display for use on LED screens. Intended to run on a Raspberry Pi 4, but

TROMBI est une application web permettant de générer un trombinoscope à partir d'un annuaire LDAP.
TROMBI est une application web permettant de générer un trombinoscope à partir d'un annuaire LDAP.

TROMBI TROMBI est une application web permettant de générer un trombinoscope à partir d'un annuaire LDAP. Elle permet aussi d'afficher l'agenda de cha

A vue.js web application to practice with front-end rendering
A vue.js web application to practice with front-end rendering

VuePosts Introduction This is simply another vue.js web application. I did this project to practice front-end rendering skills and try out a framework

Owner
Yes We Hack
Yes We Hack
Vikingo Satellite is a cross-platform utility for exploiting vulnerabilities without explicitly displaying

Vikingo Satellite is a cross-platform utility for exploiting vulnerabilities without explicitly displaying

Vikingo project 4 Nov 20, 2022
This project shows how to dockerize web application build using Vue JS web development framework for Java Script programming language.

vue-docker This project shows how to dockerize web application build using Vue JS web development framework for Java Script programming language. Requ

Denny Imanuel 1 Dec 27, 2021
A Vue.js web application for Freedomotic Open IoT framework

fd-vue-webapp A Vue.js client for Freedomotic framework. Scope of the project This repository contains the implementation of a front end client for Fr

Freedomotic 62 Nov 19, 2022
GenVue is a hostable, web application that lets confidential users upload and share private files. Tech stack: Net Core 2.0 + Vue.js + Vuex + OpenIddict + Vuetifyjs + EF + SQLServer/Postgress

Asp.NETCore 2.0 Vue 2 with WebApi Authorization Starter template This repo contains an AspNetCore 2.1 + Vue.js 2 starter template (VS2017) + NetCore W

Adam Adamczyk 127 Sep 2, 2022
Web application for organization of foodsaving groups worldwide - frontend code and central location for feature planning. For server-side code, go to https://github.com/yunity/karrot-backend

A web platform to support foodsaving groups worldwide. ?? ?? ?? karrot (Frontend) (Backend) This is the frontend repository, i.e. the browser-side sof

yunity 353 Nov 10, 2022
🌵 Web application to manage plants

?? Application ⁃ ?? Website ⁃ ?? Roadmap ⁃ ?? Issues Current version: 1.7.3 ?? About HappyPlants is all about collecting, organising, and adding all k

Moritz Kröger 241 Nov 11, 2022
A web application to view npm package files

npmview A web application to view npm package files. | https://npmview.vercel.app Self-hosting for private NPM Use VITE_UNPKG_URL env to customize API

Rongjian Zhang 108 Sep 21, 2022
OSL is a simple shared list web-application based on Node. Typical uses include shopping lists of course, and any other small todo-list that needs to be used collaboratively.

Our Shopping List OSL is a simple shared list application. Typical uses include shopping lists of course, and any other small todo-list that needs to

Anaël Ollier 20 Nov 25, 2022
FHEMApp ist eine Web-Application zur Steuerung deiner Smarthome Umgebung.

FHEMApp ist eine Web-Application zur Steuerung deiner Smarthome Umgebung. Sie wurde als Frontend für den Einsatz mit FHEM(tm) entwickelt. FHE

jens 23 Sep 9, 2022
Nuxt.js was used in building the frontend of this web application and PHP/mySQL for the backend/database.

sdg-007 Frontend Nuxt.js was used in building the frontend of this web application and PHP/mySQL for the backend/database. About There is a popular sa

Inventors 8 May 20, 2021