as per suggested changes from review
This commit is contained in:
parent
7f1b4d6273
commit
b2f3adb496
13
policy.txt
13
policy.txt
|
@ -16,7 +16,7 @@ production systems at risk.
|
||||||
|
|
||||||
3. Classification of Vulnerabilities
|
3. Classification of Vulnerabilities
|
||||||
|
|
||||||
We will consider a vulnerability report most likely as relevant if it
|
A) We will consider a vulnerability report most likely as relevant if it
|
||||||
reports one of the following problems:
|
reports one of the following problems:
|
||||||
1. The vulnerability can be used to directly access non-public
|
1. The vulnerability can be used to directly access non-public
|
||||||
information that either reveals further security relevant problems or
|
information that either reveals further security relevant problems or
|
||||||
|
@ -27,15 +27,14 @@ reports one of the following problems:
|
||||||
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
|
||||||
etc are considered relevant.
|
etc are considered relevant.
|
||||||
|
|
||||||
We will consider a vulnerability report most likely as NOT relevant if
|
B) We will consider a vulnerability report most likely as NOT relevant if
|
||||||
it reports one of the following problems:
|
it reports one of the following problems:
|
||||||
5. Missing security features, for example HTTP headers, if they are not
|
1. Missing security features, for example HTTP headers, if they are not
|
||||||
actually preventing a vulnerability.
|
actually preventing a vulnerability.
|
||||||
6. Publicly accessible version strings of used software.
|
2. Publicly accessible information such as version strings of used
|
||||||
7. Security vulnerablities that can only be used within the scope of the
|
software and previously publicly known information in general.
|
||||||
|
3. Security vulnerablities that can only be used within the scope of the
|
||||||
used account.
|
used account.
|
||||||
8. Publicly available information even when retrieved over usually non-
|
|
||||||
public channels (i.e. APIs).
|
|
||||||
|
|
||||||
4. Reporting Vulnerabilities
|
4. Reporting Vulnerabilities
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue