Browse Source

Add acknowledgements & policy

Sven Seeberg 6 months ago
Signed by: sven.seeberg
GPG Key ID: 29559DD5A83806B5
  1. 29
  2. 60


@ -0,0 +1,29 @@
<!doctype html>
<html lang="en">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Vulnerability Report Acknowledgements</title>
h1, h2, h3 {
text-align: center;
<body style="background-color: #fff;">
<div style="max-width: 500px; margin-left: auto; margin-right: auto;">
<h1>Acknowledgements / Hall of Fame</h1>
<h3>verdigado eG and Netzbegr&uuml;nung eV recognize the following security researchers for their vulnerability reports.</h3>
<li>2021-11-26: anonymous, Wolke Information Disclosure</li>
<li>2020-12-04: Chabik Hatim &lt;;, GCMS Cross Site Scripting</li>


@ -0,0 +1,60 @@
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy
1. Services Covered by this Policy
This policy covers all services directly operated by us (verdigado eG &
Netzbegruenung). Services can be identified by the following means:
- The website has a .well-known/security.txt that links to this policy.
- The reverse DNS of an IP address resolves to one of the following
domains: *, *, *
2. Classification of Vulnerabilities
We consider vulnerabilities as relevant when they meet one or more of
the following conditions:
- The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
contains user data.
- The vulnerability can be used to disrupt the orderly operation of a
- The vulnerability can be used to manipulate data within the service.
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
We consider reports of vulnerabilities not as relevant when they contain
the following information:
- A service is missing HTTP security headers or comparable "add-on security"
- Publicly accessible version strings of used software.
- Security vulnerablities that can only be used within the scope of the
used account.
3. Reporting Vulnerabilities
Report vulnerabilities via e-mail to
Please make sure that you include the following information:
- Which service is affected
- How can the bug be used/exploited
- Explanation of the risk
Reports will be answered within 48 hours. If you have not received an
answer within that time frame, please make sure to contact us again.
4. Bug Bounties / Vulnerability Rewards
The amount of reward payed depends on the severity of the found
vulnerability. We usually do not pay rewards if vulnerabilities can be
found in mass scans with of-the-shelf software.
5. Acknowledgement
We list recognized reports of vulnerablities online if the reporting
security researcher agrees. The name, contact e-mail address, and type of
vulnerability can be included in the list. Our public acknowledgements
can be found at
6. About this Policy
This policy is MIT licensed. Feel free to suggest modifications and
additions at