commit
1a9f13856a
GPG Key ID:
29559DD5A83806B5
2 changed files with 89 additions and 0 deletions
@ -0,0 +1,29 @@
|
||||
<!doctype html> |
||||
|
||||
<html lang="en"> |
||||
<head> |
||||
<meta charset="utf-8"> |
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
||||
<title>Vulnerability Report Acknowledgements</title> |
||||
<style> |
||||
h1, h2, h3 { |
||||
text-align: center; |
||||
} |
||||
</style> |
||||
</head> |
||||
<body style="background-color: #fff;"> |
||||
<div style="max-width: 500px; margin-left: auto; margin-right: auto;"> |
||||
|
||||
<h1>Acknowledgements / Hall of Fame</h1> |
||||
|
||||
<h3>verdigado eG and Netzbegrünung eV recognize the following security researchers for their vulnerability reports.</h3> |
||||
|
||||
<ul> |
||||
<li>2021-11-26: anonymous, Wolke Information Disclosure</li> |
||||
<li>2020-12-04: Chabik Hatim <chabikhatim@gmail.com>, GCMS Cross Site Scripting</li> |
||||
</ul> |
||||
|
||||
</div> |
||||
</body> |
||||
</html> |
||||
|
||||
@ -0,0 +1,60 @@
|
||||
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy |
||||
|
||||
1. Services Covered by this Policy |
||||
|
||||
This policy covers all services directly operated by us (verdigado eG & |
||||
Netzbegruenung). Services can be identified by the following means: |
||||
- The website has a .well-known/security.txt that links to this policy. |
||||
- The reverse DNS of an IP address resolves to one of the following |
||||
domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de |
||||
|
||||
2. Classification of Vulnerabilities |
||||
|
||||
We consider vulnerabilities as relevant when they meet one or more of |
||||
the following conditions: |
||||
- The vulnerability can be used to directly access non-public |
||||
information that either reveals further security relevant problems or |
||||
contains user data. |
||||
- The vulnerability can be used to disrupt the orderly operation of a |
||||
service. |
||||
- The vulnerability can be used to manipulate data within the service. |
||||
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, |
||||
etc are considered relevant. |
||||
|
||||
We consider reports of vulnerabilities not as relevant when they contain |
||||
the following information: |
||||
- A service is missing HTTP security headers or comparable "add-on security" |
||||
features. |
||||
- Publicly accessible version strings of used software. |
||||
- Security vulnerablities that can only be used within the scope of the |
||||
used account. |
||||
|
||||
3. Reporting Vulnerabilities |
||||
|
||||
Report vulnerabilities via e-mail to security@verdigado.com. |
||||
|
||||
Please make sure that you include the following information: |
||||
- Which service is affected |
||||
- How can the bug be used/exploited |
||||
- Explanation of the risk |
||||
|
||||
Reports will be answered within 48 hours. If you have not received an |
||||
answer within that time frame, please make sure to contact us again. |
||||
|
||||
4. Bug Bounties / Vulnerability Rewards |
||||
|
||||
The amount of reward payed depends on the severity of the found |
||||
vulnerability. We usually do not pay rewards if vulnerabilities can be |
||||
found in mass scans with of-the-shelf software. |
||||
|
||||
5. Acknowledgement |
||||
|
||||
We list recognized reports of vulnerablities online if the reporting |
||||
security researcher agrees. The name, contact e-mail address, and type of |
||||
vulnerability can be included in the list. Our public acknowledgements |
||||
can be found at https://verdigado.com/security-acknowledgements.html. |
||||
|
||||
6. About this Policy |
||||
|
||||
This policy is MIT licensed. Feel free to suggest modifications and |
||||
additions at https://github.com/digitalfabrik/security-policy. |
||||
Loading…
Reference in new issue