NB-Public/security-hall-of-fame
11
0
Fork 0
Code Issues Pull requests 2 Projects Releases Wiki Activity

introduced numbering for classification and added 3.8 #1

Merged
christian.tramnitz merged 2 commits from ctr-policy-suggestion-01 into master 2022-08-02 19:40:55 +02:00
Conversation 1 Commits 2 Files changed 1 +6 -7
1 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit b2f3adb496 - Show all commits

13
policy.txt
View file

@ -16,7 +16,7 @@ production systems at risk.
3. Classification of Vulnerabilities
We will consider a vulnerability report most likely as relevant if it
A) We will consider a vulnerability report most likely as relevant if it
reports one of the following problems:
1. The vulnerability can be used to directly access non-public
information that either reveals further security relevant problems or
@ -27,15 +27,14 @@ reports one of the following problems:
4. XSS, CSRF, RCE, authentication/authorization bypass, SQL inections,
etc are considered relevant.
We will consider a vulnerability report most likely as NOT relevant if
B) We will consider a vulnerability report most likely as NOT relevant if
it reports one of the following problems:
5. Missing security features, for example HTTP headers, if they are not
1. Missing security features, for example HTTP headers, if they are not
actually preventing a vulnerability.
6. Publicly accessible version strings of used software.
7. Security vulnerablities that can only be used within the scope of the
2. Publicly accessible information such as version strings of used
software and previously publicly known information in general.
3. Security vulnerablities that can only be used within the scope of the
used account.
8. Publicly available information even when retrieved over usually non-
public channels (i.e. APIs).
4. Reporting Vulnerabilities