numbering for classification and note about publicly available information
make clear that accessing public information is not considered a vulnerability Reviewed-on: #1
This commit is contained in:
parent
3adc401cc4
commit
5ee619229e
31
policy.txt
31
policy.txt
|
@ -16,24 +16,25 @@ production systems at risk.
|
||||||
|
|
||||||
3. Classification of Vulnerabilities
|
3. Classification of Vulnerabilities
|
||||||
|
|
||||||
We will consider a vulnerability report most likely as relevant if it
|
A) We will consider a vulnerability report most likely as relevant if it
|
||||||
reports one of the following problems:
|
reports one of the following problems:
|
||||||
- The vulnerability can be used to directly access non-public
|
1. The vulnerability can be used to directly access non-public
|
||||||
information that either reveals further security relevant problems or
|
information that either reveals further security relevant problems or
|
||||||
contains user data, credentials, or sensitive data in general.
|
contains user data, credentials, or sensitive data in general.
|
||||||
- The vulnerability can be used to disrupt the orderly operation of a
|
2. The vulnerability can be used to disrupt the orderly operation of a
|
||||||
service (Denial of Service).
|
service (Denial of Service).
|
||||||
- The vulnerability can be used to manipulate data within the service.
|
3. The vulnerability can be used to manipulate data within the service.
|
||||||
- XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
||||||
etc are considered relevant.
|
etc are considered relevant.
|
||||||
|
|
||||||
We will consider a vulnerability report most likely as NOT relevant if
|
B) We will consider a vulnerability report most likely as NOT relevant if
|
||||||
it reports one of the following problems:
|
it reports one of the following problems:
|
||||||
- Missing security features, for example HTTP headers, if they are not
|
1. Missing security features, for example HTTP headers, if they are not
|
||||||
actually preventing a vulnerability.
|
actually preventing a vulnerability.
|
||||||
- Publicly accessible version strings of used software.
|
2. Publicly accessible information such as version strings of used
|
||||||
- Security vulnerablities that can only be used within the scope of the
|
software and previously publicly known information in general.
|
||||||
used account.
|
3. Security vulnerablities that can only be used within the scope of the
|
||||||
|
used account.
|
||||||
|
|
||||||
4. Reporting Vulnerabilities
|
4. Reporting Vulnerabilities
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue