Add acknowledgements & policy
This commit is contained in:
commit
1a9f13856a
29
acknowledgements.html
Normal file
29
acknowledgements.html
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
<!doctype html>
|
||||||
|
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8">
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||||
|
<title>Vulnerability Report Acknowledgements</title>
|
||||||
|
<style>
|
||||||
|
h1, h2, h3 {
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body style="background-color: #fff;">
|
||||||
|
<div style="max-width: 500px; margin-left: auto; margin-right: auto;">
|
||||||
|
|
||||||
|
<h1>Acknowledgements / Hall of Fame</h1>
|
||||||
|
|
||||||
|
<h3>verdigado eG and Netzbegrünung eV recognize the following security researchers for their vulnerability reports.</h3>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>2021-11-26: anonymous, Wolke Information Disclosure</li>
|
||||||
|
<li>2020-12-04: Chabik Hatim <chabikhatim@gmail.com>, GCMS Cross Site Scripting</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
60
policy.txt
Normal file
60
policy.txt
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy
|
||||||
|
|
||||||
|
1. Services Covered by this Policy
|
||||||
|
|
||||||
|
This policy covers all services directly operated by us (verdigado eG &
|
||||||
|
Netzbegruenung). Services can be identified by the following means:
|
||||||
|
- The website has a .well-known/security.txt that links to this policy.
|
||||||
|
- The reverse DNS of an IP address resolves to one of the following
|
||||||
|
domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de
|
||||||
|
|
||||||
|
2. Classification of Vulnerabilities
|
||||||
|
|
||||||
|
We consider vulnerabilities as relevant when they meet one or more of
|
||||||
|
the following conditions:
|
||||||
|
- The vulnerability can be used to directly access non-public
|
||||||
|
information that either reveals further security relevant problems or
|
||||||
|
contains user data.
|
||||||
|
- The vulnerability can be used to disrupt the orderly operation of a
|
||||||
|
service.
|
||||||
|
- The vulnerability can be used to manipulate data within the service.
|
||||||
|
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
||||||
|
etc are considered relevant.
|
||||||
|
|
||||||
|
We consider reports of vulnerabilities not as relevant when they contain
|
||||||
|
the following information:
|
||||||
|
- A service is missing HTTP security headers or comparable "add-on security"
|
||||||
|
features.
|
||||||
|
- Publicly accessible version strings of used software.
|
||||||
|
- Security vulnerablities that can only be used within the scope of the
|
||||||
|
used account.
|
||||||
|
|
||||||
|
3. Reporting Vulnerabilities
|
||||||
|
|
||||||
|
Report vulnerabilities via e-mail to security@verdigado.com.
|
||||||
|
|
||||||
|
Please make sure that you include the following information:
|
||||||
|
- Which service is affected
|
||||||
|
- How can the bug be used/exploited
|
||||||
|
- Explanation of the risk
|
||||||
|
|
||||||
|
Reports will be answered within 48 hours. If you have not received an
|
||||||
|
answer within that time frame, please make sure to contact us again.
|
||||||
|
|
||||||
|
4. Bug Bounties / Vulnerability Rewards
|
||||||
|
|
||||||
|
The amount of reward payed depends on the severity of the found
|
||||||
|
vulnerability. We usually do not pay rewards if vulnerabilities can be
|
||||||
|
found in mass scans with of-the-shelf software.
|
||||||
|
|
||||||
|
5. Acknowledgement
|
||||||
|
|
||||||
|
We list recognized reports of vulnerablities online if the reporting
|
||||||
|
security researcher agrees. The name, contact e-mail address, and type of
|
||||||
|
vulnerability can be included in the list. Our public acknowledgements
|
||||||
|
can be found at https://verdigado.com/security-acknowledgements.html.
|
||||||
|
|
||||||
|
6. About this Policy
|
||||||
|
|
||||||
|
This policy is MIT licensed. Feel free to suggest modifications and
|
||||||
|
additions at https://github.com/digitalfabrik/security-policy.
|
Loading…
Reference in a new issue