From 5ee619229ea68ca3022b5f61feee4c0eabec0ac3 Mon Sep 17 00:00:00 2001 From: Christian Tramnitz Date: Tue, 2 Aug 2022 19:40:54 +0200 Subject: [PATCH] numbering for classification and note about publicly available information make clear that accessing public information is not considered a vulnerability Reviewed-on: https://git.verdigado.com/NB-Public/security-hall-of-fame/pulls/1 --- policy.txt | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/policy.txt b/policy.txt index 23c7caa..9e87c68 100644 --- a/policy.txt +++ b/policy.txt @@ -16,24 +16,25 @@ production systems at risk. 3. Classification of Vulnerabilities -We will consider a vulnerability report most likely as relevant if it +A) We will consider a vulnerability report most likely as relevant if it reports one of the following problems: -- The vulnerability can be used to directly access non-public - information that either reveals further security relevant problems or - contains user data, credentials, or sensitive data in general. -- The vulnerability can be used to disrupt the orderly operation of a - service (Denial of Service). -- The vulnerability can be used to manipulate data within the service. -- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, - etc are considered relevant. + 1. The vulnerability can be used to directly access non-public + information that either reveals further security relevant problems or + contains user data, credentials, or sensitive data in general. + 2. The vulnerability can be used to disrupt the orderly operation of a + service (Denial of Service). + 3. The vulnerability can be used to manipulate data within the service. + 4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, + etc are considered relevant. -We will consider a vulnerability report most likely as NOT relevant if +B) We will consider a vulnerability report most likely as NOT relevant if it reports one of the following problems: -- Missing security features, for example HTTP headers, if they are not - actually preventing a vulnerability. -- Publicly accessible version strings of used software. -- Security vulnerablities that can only be used within the scope of the - used account. + 1. Missing security features, for example HTTP headers, if they are not + actually preventing a vulnerability. + 2. Publicly accessible information such as version strings of used + software and previously publicly known information in general. + 3. Security vulnerablities that can only be used within the scope of the + used account. 4. Reporting Vulnerabilities