Add acknowledgements & policy
This commit is contained in:
commit
1a9f13856a
GPG Key ID:
29559DD5A83806B5
|
|
@ -0,0 +1,29 @@
|
|||
<!doctype html>
|
||||
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>Vulnerability Report Acknowledgements</title>
|
||||
<style>
|
||||
h1, h2, h3 {
|
||||
text-align: center;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body style="background-color: #fff;">
|
||||
<div style="max-width: 500px; margin-left: auto; margin-right: auto;">
|
||||
|
||||
<h1>Acknowledgements / Hall of Fame</h1>
|
||||
|
||||
<h3>verdigado eG and Netzbegrünung eV recognize the following security researchers for their vulnerability reports.</h3>
|
||||
|
||||
<ul>
|
||||
<li>2021-11-26: anonymous, Wolke Information Disclosure</li>
|
||||
<li>2020-12-04: Chabik Hatim <chabikhatim@gmail.com>, GCMS Cross Site Scripting</li>
|
||||
</ul>
|
||||
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy
|
||||
|
||||
1. Services Covered by this Policy
|
||||
|
||||
This policy covers all services directly operated by us (verdigado eG &
|
||||
Netzbegruenung). Services can be identified by the following means:
|
||||
- The website has a .well-known/security.txt that links to this policy.
|
||||
- The reverse DNS of an IP address resolves to one of the following
|
||||
domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de
|
||||
|
||||
2. Classification of Vulnerabilities
|
||||
|
||||
We consider vulnerabilities as relevant when they meet one or more of
|
||||
the following conditions:
|
||||
- The vulnerability can be used to directly access non-public
|
||||
information that either reveals further security relevant problems or
|
||||
contains user data.
|
||||
- The vulnerability can be used to disrupt the orderly operation of a
|
||||
service.
|
||||
- The vulnerability can be used to manipulate data within the service.
|
||||
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
||||
etc are considered relevant.
|
||||
|
||||
We consider reports of vulnerabilities not as relevant when they contain
|
||||
the following information:
|
||||
- A service is missing HTTP security headers or comparable "add-on security"
|
||||
features.
|
||||
- Publicly accessible version strings of used software.
|
||||
- Security vulnerablities that can only be used within the scope of the
|
||||
used account.
|
||||
|
||||
3. Reporting Vulnerabilities
|
||||
|
||||
Report vulnerabilities via e-mail to security@verdigado.com.
|
||||
|
||||
Please make sure that you include the following information:
|
||||
- Which service is affected
|
||||
- How can the bug be used/exploited
|
||||
- Explanation of the risk
|
||||
|
||||
Reports will be answered within 48 hours. If you have not received an
|
||||
answer within that time frame, please make sure to contact us again.
|
||||
|
||||
4. Bug Bounties / Vulnerability Rewards
|
||||
|
||||
The amount of reward payed depends on the severity of the found
|
||||
vulnerability. We usually do not pay rewards if vulnerabilities can be
|
||||
found in mass scans with of-the-shelf software.
|
||||
|
||||
5. Acknowledgement
|
||||
|
||||
We list recognized reports of vulnerablities online if the reporting
|
||||
security researcher agrees. The name, contact e-mail address, and type of
|
||||
vulnerability can be included in the list. Our public acknowledgements
|
||||
can be found at https://verdigado.com/security-acknowledgements.html.
|
||||
|
||||
6. About this Policy
|
||||
|
||||
This policy is MIT licensed. Feel free to suggest modifications and
|
||||
additions at https://github.com/digitalfabrik/security-policy.
|
||||
Loading…
Reference in New Issue