From 1a9f13856a53d3a287eab00b6feca8415f242e37 Mon Sep 17 00:00:00 2001 From: Sven Seeberg Date: Sun, 2 Jan 2022 13:29:54 +0100 Subject: [PATCH] Add acknowledgements & policy --- acknowledgements.html | 29 +++++++++++++++++++++ policy.txt | 60 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 acknowledgements.html create mode 100644 policy.txt diff --git a/acknowledgements.html b/acknowledgements.html new file mode 100644 index 0000000..67f8dc8 --- /dev/null +++ b/acknowledgements.html @@ -0,0 +1,29 @@ + + + + + + + Vulnerability Report Acknowledgements + + + +
+ +

Acknowledgements / Hall of Fame

+ +

verdigado eG and Netzbegrünung eV recognize the following security researchers for their vulnerability reports.

+ + + +
+ + + diff --git a/policy.txt b/policy.txt new file mode 100644 index 0000000..4938e39 --- /dev/null +++ b/policy.txt @@ -0,0 +1,60 @@ +verdigado & Netzbegruenung Security and Vulnerability Reporting Policy + +1. Services Covered by this Policy + +This policy covers all services directly operated by us (verdigado eG & +Netzbegruenung). Services can be identified by the following means: +- The website has a .well-known/security.txt that links to this policy. +- The reverse DNS of an IP address resolves to one of the following + domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de + +2. Classification of Vulnerabilities + +We consider vulnerabilities as relevant when they meet one or more of +the following conditions: +- The vulnerability can be used to directly access non-public + information that either reveals further security relevant problems or + contains user data. +- The vulnerability can be used to disrupt the orderly operation of a + service. +- The vulnerability can be used to manipulate data within the service. +- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, + etc are considered relevant. + +We consider reports of vulnerabilities not as relevant when they contain +the following information: +- A service is missing HTTP security headers or comparable "add-on security" + features. +- Publicly accessible version strings of used software. +- Security vulnerablities that can only be used within the scope of the + used account. + +3. Reporting Vulnerabilities + +Report vulnerabilities via e-mail to security@verdigado.com. + +Please make sure that you include the following information: +- Which service is affected +- How can the bug be used/exploited +- Explanation of the risk + +Reports will be answered within 48 hours. If you have not received an +answer within that time frame, please make sure to contact us again. + +4. Bug Bounties / Vulnerability Rewards + +The amount of reward payed depends on the severity of the found +vulnerability. We usually do not pay rewards if vulnerabilities can be +found in mass scans with of-the-shelf software. + +5. Acknowledgement + +We list recognized reports of vulnerablities online if the reporting +security researcher agrees. The name, contact e-mail address, and type of +vulnerability can be included in the list. Our public acknowledgements +can be found at https://verdigado.com/security-acknowledgements.html. + +6. About this Policy + +This policy is MIT licensed. Feel free to suggest modifications and +additions at https://github.com/digitalfabrik/security-policy.