61 lines
2.3 KiB
Plaintext
61 lines
2.3 KiB
Plaintext
verdigado & Netzbegruenung Security and Vulnerability Reporting Policy
|
|
|
|
1. Services Covered by this Policy
|
|
|
|
This policy covers all services directly operated by us (verdigado eG &
|
|
Netzbegruenung). Services can be identified by the following means:
|
|
- The website has a .well-known/security.txt that links to this policy.
|
|
- The reverse DNS of an IP address resolves to one of the following
|
|
domains: *.verdigado.net, *.verdigado.com, *.netzbegruenung.de
|
|
|
|
2. Classification of Vulnerabilities
|
|
|
|
We consider vulnerabilities as relevant when they meet one or more of
|
|
the following conditions:
|
|
- The vulnerability can be used to directly access non-public
|
|
information that either reveals further security relevant problems or
|
|
contains user data.
|
|
- The vulnerability can be used to disrupt the orderly operation of a
|
|
service.
|
|
- The vulnerability can be used to manipulate data within the service.
|
|
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
|
etc are considered relevant.
|
|
|
|
We consider reports of vulnerabilities not as relevant when they contain
|
|
the following information:
|
|
- A service is missing HTTP security headers or comparable "add-on security"
|
|
features.
|
|
- Publicly accessible version strings of used software.
|
|
- Security vulnerablities that can only be used within the scope of the
|
|
used account.
|
|
|
|
3. Reporting Vulnerabilities
|
|
|
|
Report vulnerabilities via e-mail to security@verdigado.com.
|
|
|
|
Please make sure that you include the following information:
|
|
- Which service is affected
|
|
- How can the bug be used/exploited
|
|
- Explanation of the risk
|
|
|
|
Reports will be answered within 48 hours. If you have not received an
|
|
answer within that time frame, please make sure to contact us again.
|
|
|
|
4. Bug Bounties / Vulnerability Rewards
|
|
|
|
The amount of reward payed depends on the severity of the found
|
|
vulnerability. We usually do not pay rewards if vulnerabilities can be
|
|
found in mass scans with of-the-shelf software.
|
|
|
|
5. Acknowledgement
|
|
|
|
We list recognized reports of vulnerablities online if the reporting
|
|
security researcher agrees. The name, contact e-mail address, and type of
|
|
vulnerability can be included in the list. Our public acknowledgements
|
|
can be found at https://verdigado.com/security-acknowledgements.html.
|
|
|
|
6. About this Policy
|
|
|
|
This policy is MIT licensed. Feel free to suggest modifications and
|
|
additions at https://github.com/digitalfabrik/security-policy.
|