security-hall-of-fame/policy.txt

74 lines
2.9 KiB
Plaintext
Raw Normal View History

2022-01-02 13:29:54 +01:00
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy
1. Services Covered by this Policy
This policy covers all services directly operated by us (verdigado eG &
Netzbegruenung). Services can be identified by the following means:
- The website has a .well-known/security.txt that links to this policy.
- The reverse DNS of an IP address resolves to one of the following
domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de
2022-01-02 16:12:57 +01:00
2. Acceptable Use
2022-01-02 13:29:54 +01:00
2022-01-02 16:12:57 +01:00
We generally invite security researchers to search for vulnerabilities
in our services. We kindly ask to not put any actual user data or
production systems at risk.
3. Classification of Vulnerabilities
We will consider a vulnerability report most likely as relevant if it
reports one of the following problems:
2022-01-02 13:29:54 +01:00
- The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
2022-01-02 16:12:57 +01:00
contains user data, credentials, or sensitive data in general.
2022-01-02 13:29:54 +01:00
- The vulnerability can be used to disrupt the orderly operation of a
2022-01-02 16:12:57 +01:00
service (Denial of Service).
2022-01-02 13:29:54 +01:00
- The vulnerability can be used to manipulate data within the service.
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
2022-01-02 16:12:57 +01:00
We will consider a vulnerability report most likely as NOT relevant if
it reports one of the following problems:
- Missing security features, for example HTTP headers, if they are not
actually preventing a vulnerability.
2022-01-02 13:29:54 +01:00
- Publicly accessible version strings of used software.
- Security vulnerablities that can only be used within the scope of the
used account.
2022-01-02 16:12:57 +01:00
4. Reporting Vulnerabilities
2022-01-02 13:29:54 +01:00
Report vulnerabilities via e-mail to security@verdigado.com.
Please make sure that you include the following information:
- Which service is affected
- How can the bug be used/exploited
- Explanation of the risk
Reports will be answered within 48 hours. If you have not received an
2022-01-02 16:12:57 +01:00
answer within that time frame, feel free to contact us again.
2022-01-02 13:29:54 +01:00
2022-01-02 16:12:57 +01:00
For used open source software, we recommend to file bug reports and/or
pull requests against the upstream repositories. This includes hardening
instructions in the installation documentation.
5. Bug Bounties / Rewards
2022-01-02 13:29:54 +01:00
The amount of reward payed depends on the severity of the found
vulnerability. We usually do not pay rewards if vulnerabilities can be
found in mass scans with of-the-shelf software.
2022-01-02 16:12:57 +01:00
Only responsible disclosures are eligible for rewards.
6. Acknowledgement
2022-01-02 13:29:54 +01:00
We list recognized reports of vulnerablities online if the reporting
2022-01-02 16:12:57 +01:00
security researcher agrees. The name, contact e-mail address, and type
of vulnerability can be included in the list. Our public
acknowledgements can be found at
https://verdigado.com/security-acknowledgements.html.
2022-01-02 13:29:54 +01:00
2022-01-02 16:12:57 +01:00
7. About this Policy
2022-01-02 13:29:54 +01:00
This policy is MIT licensed. Feel free to suggest modifications and
additions at https://github.com/digitalfabrik/security-policy.