NB-Public/security-hall-of-fame
11
0
Fork 0
Code Issues Pull requests 2 Projects Releases Wiki Activity

as per suggested changes from review

Browse source
This commit is contained in:
Christian Tramnitz 2022-07-29 13:11:23 +02:00
parent 7f1b4d6273
commit b2f3adb496
1 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
policy.txt
View file

@ -16,7 +16,7 @@ production systems at risk.
3. Classification of Vulnerabilities
We will consider a vulnerability report most likely as relevant if it
A) We will consider a vulnerability report most likely as relevant if it
reports one of the following problems:
1. The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
@ -27,15 +27,14 @@ reports one of the following problems:
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
We will consider a vulnerability report most likely as NOT relevant if
B) We will consider a vulnerability report most likely as NOT relevant if
it reports one of the following problems:
5. Missing security features, for example HTTP headers, if they are not
1. Missing security features, for example HTTP headers, if they are not
actually preventing a vulnerability.
6. Publicly accessible version strings of used software.
7. Security vulnerablities that can only be used within the scope of the
2. Publicly accessible information such as version strings of used
software and previously publicly known information in general.
3. Security vulnerablities that can only be used within the scope of the
used account.
8. Publicly available information even when retrieved over usually non-
public channels (i.e. APIs).
4. Reporting Vulnerabilities