diff --git a/index.html b/index.html new file mode 100644 index 0000000..e9e26da --- /dev/null +++ b/index.html @@ -0,0 +1,25 @@ + + + + + + + Security @ verdigado / Netzbegruenung + + + +
+ +


+ + diff --git a/policy.txt b/policy.txt index 4938e39..c98e4e9 100644 --- a/policy.txt +++ b/policy.txt @@ -8,28 +8,34 @@ Netzbegruenung). Services can be identified by the following means: - The reverse DNS of an IP address resolves to one of the following domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de -2. Classification of Vulnerabilities +2. Acceptable Use -We consider vulnerabilities as relevant when they meet one or more of -the following conditions: +We generally invite security researchers to search for vulnerabilities +in our services. We kindly ask to not put any actual user data or +production systems at risk. + +3. Classification of Vulnerabilities + +We will consider a vulnerability report most likely as relevant if it +reports one of the following problems: - The vulnerability can be used to directly access non-public information that either reveals further security relevant problems or - contains user data. + contains user data, credentials, or sensitive data in general. - The vulnerability can be used to disrupt the orderly operation of a - service. + service (Denial of Service). - The vulnerability can be used to manipulate data within the service. - XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, etc are considered relevant. -We consider reports of vulnerabilities not as relevant when they contain -the following information: -- A service is missing HTTP security headers or comparable "add-on security" - features. +We will consider a vulnerability report most likely as NOT relevant if +it reports one of the following problems: +- Missing security features, for example HTTP headers, if they are not + actually preventing a vulnerability. - Publicly accessible version strings of used software. - Security vulnerablities that can only be used within the scope of the used account. -3. Reporting Vulnerabilities +4. Reporting Vulnerabilities Report vulnerabilities via e-mail to security@verdigado.com. @@ -39,22 +45,29 @@ Please make sure that you include the following information: - Explanation of the risk Reports will be answered within 48 hours. If you have not received an -answer within that time frame, please make sure to contact us again. +answer within that time frame, feel free to contact us again. -4. Bug Bounties / Vulnerability Rewards +For used open source software, we recommend to file bug reports and/or +pull requests against the upstream repositories. This includes hardening +instructions in the installation documentation. + +5. Bug Bounties / Rewards The amount of reward payed depends on the severity of the found vulnerability. We usually do not pay rewards if vulnerabilities can be found in mass scans with of-the-shelf software. -5. Acknowledgement +Only responsible disclosures are eligible for rewards. + +6. Acknowledgement We list recognized reports of vulnerablities online if the reporting -security researcher agrees. The name, contact e-mail address, and type of -vulnerability can be included in the list. Our public acknowledgements -can be found at https://verdigado.com/security-acknowledgements.html. +security researcher agrees. The name, contact e-mail address, and type +of vulnerability can be included in the list. Our public +acknowledgements can be found at +https://verdigado.com/security-acknowledgements.html. -6. About this Policy +7. About this Policy This policy is MIT licensed. Feel free to suggest modifications and additions at https://github.com/digitalfabrik/security-policy.