numbering for classification and note about publicly available information

make clear that accessing public information is not considered a vulnerability

Reviewed-on: #1
This commit is contained in:
Christian Tramnitz 2022-08-02 19:40:54 +02:00
parent 3adc401cc4
commit 5ee619229e
1 changed files with 16 additions and 15 deletions

View File

@ -16,24 +16,25 @@ production systems at risk.
3. Classification of Vulnerabilities
We will consider a vulnerability report most likely as relevant if it
A) We will consider a vulnerability report most likely as relevant if it
reports one of the following problems:
- The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
contains user data, credentials, or sensitive data in general.
- The vulnerability can be used to disrupt the orderly operation of a
service (Denial of Service).
- The vulnerability can be used to manipulate data within the service.
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
1. The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
contains user data, credentials, or sensitive data in general.
2. The vulnerability can be used to disrupt the orderly operation of a
service (Denial of Service).
3. The vulnerability can be used to manipulate data within the service.
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
We will consider a vulnerability report most likely as NOT relevant if
B) We will consider a vulnerability report most likely as NOT relevant if
it reports one of the following problems:
- Missing security features, for example HTTP headers, if they are not
actually preventing a vulnerability.
- Publicly accessible version strings of used software.
- Security vulnerablities that can only be used within the scope of the
used account.
1. Missing security features, for example HTTP headers, if they are not
actually preventing a vulnerability.
2. Publicly accessible information such as version strings of used
software and previously publicly known information in general.
3. Security vulnerablities that can only be used within the scope of the
used account.
4. Reporting Vulnerabilities