Update policy & add index

2022-01-02 16:12:57 +01:00 · 2022-01-02 16:12:57 +01:00 · 29bc08e78d
parent 24639b1482
commit 29bc08e78d
2 changed files with 55 additions and 17 deletions
--- a/index.html
+++ b/index.html
@ -0,0 +1,25 @@
+<!doctype html>
+
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Security @ verdigado / Netzbegruenung</title>
+  <style>
+   h1, h2, h3 {
+    text-align: center;
+   }
+  </style>
+</head>
+<body style="background-color: #fff;">
+<div style="max-width: 600px; margin-left: auto; margin-right: auto;">
+
+<h1>Ressources</h1>
+<ul>
+  <li>Contact: security@verdigado.com</li>
+  <li><a href="policy.txt">Security and Vulnerability Reporting Policy</a></li>
+  <li><a href="acknowledgements.html">Acknowledgements for reported vulnerabilities</a></li>
+  <li><a href="https://cert.netzbegruenung.de">Netzbegruenung CERT</a></li>
+</div>
+</body>
+</html>
--- a/policy.txt
+++ b/policy.txt
@ -8,28 +8,34 @@ Netzbegruenung). Services can be identified by the following means:
 - The reverse DNS of an IP address resolves to one of the following
  domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de

-2. Classification of Vulnerabilities
+2. Acceptable Use

-We consider vulnerabilities as relevant when they meet one or more of
-the following conditions:
+We generally invite security researchers to search for vulnerabilities
+in our services. We kindly ask to not put any actual user data or
+production systems at risk.
+
+3. Classification of Vulnerabilities
+
+We will consider a vulnerability report most likely as relevant if it
+reports one of the following problems:
 - The vulnerability can be used to directly access non-public
  information that either reveals further security relevant problems or
-  contains user data.
+  contains user data, credentials, or sensitive data in general.
 - The vulnerability can be used to disrupt the orderly operation of a
-  service.
+  service (Denial of Service).
 - The vulnerability can be used to manipulate data within the service.
 - XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
  etc are considered relevant.

-We consider reports of vulnerabilities not as relevant when they contain
-the following information:
- A service is missing HTTP security headers or comparable "add-on security"
-  features.
+We will consider a vulnerability report most likely as NOT relevant if
+it reports one of the following problems:
+- Missing security features, for example HTTP headers, if they are not
+  actually preventing a vulnerability.
 - Publicly accessible version strings of used software.
 - Security vulnerablities that can only be used within the scope of the
  used account.

-3. Reporting Vulnerabilities
+4. Reporting Vulnerabilities

 Report vulnerabilities via e-mail to security@verdigado.com.

@ -39,22 +45,29 @@ Please make sure that you include the following information:
 - Explanation of the risk

 Reports will be answered within 48 hours. If you have not received an
-answer within that time frame, please make sure to contact us again.
+answer within that time frame, feel free to contact us again.

-4. Bug Bounties / Vulnerability Rewards
+For used open source software, we recommend to file bug reports and/or
+pull requests against the upstream repositories. This includes hardening
+instructions in the installation documentation.
+
+5. Bug Bounties / Rewards

 The amount of reward payed depends on the severity of the found
 vulnerability. We usually do not pay rewards if vulnerabilities can be
 found in mass scans with of-the-shelf software.

-5. Acknowledgement
+Only responsible disclosures are eligible for rewards.
+
+6. Acknowledgement

 We list recognized reports of vulnerablities online if the reporting
-security researcher agrees. The name, contact e-mail address, and type of
-vulnerability can be included in the list. Our public acknowledgements
-can be found at https://verdigado.com/security-acknowledgements.html.
+security researcher agrees. The name, contact e-mail address, and type
+of vulnerability can be included in the list. Our public
+acknowledgements can be found at
+https://verdigado.com/security-acknowledgements.html.

-6. About this Policy
+7. About this Policy

 This policy is MIT licensed. Feel free to suggest modifications and
 additions at https://github.com/digitalfabrik/security-policy.