as per suggested changes from review
This commit is contained in:
parent
7f1b4d6273
commit
b2f3adb496
13
policy.txt
13
policy.txt
|
@ -16,7 +16,7 @@ production systems at risk.
|
|||
|
||||
3. Classification of Vulnerabilities
|
||||
|
||||
We will consider a vulnerability report most likely as relevant if it
|
||||
A) We will consider a vulnerability report most likely as relevant if it
|
||||
reports one of the following problems:
|
||||
1. The vulnerability can be used to directly access non-public
|
||||
information that either reveals further security relevant problems or
|
||||
|
@ -27,15 +27,14 @@ reports one of the following problems:
|
|||
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
||||
etc are considered relevant.
|
||||
|
||||
We will consider a vulnerability report most likely as NOT relevant if
|
||||
B) We will consider a vulnerability report most likely as NOT relevant if
|
||||
it reports one of the following problems:
|
||||
5. Missing security features, for example HTTP headers, if they are not
|
||||
1. Missing security features, for example HTTP headers, if they are not
|
||||
actually preventing a vulnerability.
|
||||
6. Publicly accessible version strings of used software.
|
||||
7. Security vulnerablities that can only be used within the scope of the
|
||||
2. Publicly accessible information such as version strings of used
|
||||
software and previously publicly known information in general.
|
||||
3. Security vulnerablities that can only be used within the scope of the
|
||||
used account.
|
||||
8. Publicly available information even when retrieved over usually non-
|
||||
public channels (i.e. APIs).
|
||||
|
||||
4. Reporting Vulnerabilities
|
||||
|
||||
|
|
Loading…
Reference in a new issue