Ga naar de inhoud

Moerdijk.nl is vernieuwd

Welkom op onze vernieuwde website! Wij hebben hard gewerkt om onze site zo gebruiksvriendelijk mogelijk te maken. Mocht u toch een foutje zien of iets niet kunnen vinden, laat het ons dan weten via het formulier Tips of opmerkingen. Samen maken we moerdijk.nl nog beter.

Terug naar responsible disclosure

Scope kwetsbaarheid meldingen

Kwetsbaarheden, die binnen dit Responsible Disclosure beleid vallen zijn (maar niet gelimiteerd tot)

  • Injection vulnerabilities
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS)
  • Remote Code Execution
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards
  • Directory/Path transversal
  • Exposed credentials

Kwetsbaarheden, die buiten dit Responsible Disclosure beleid vallen zijn (maar niet gelimiteerd tot): 

  • Issues that require unlikely user interaction
  • Account enumeration using brute-force attacks
  • Cross-Site Request Forgery
  • Weak password policies and password complexity requirements
  • Missing http security headers which do not lead to a vulnerability
  • Clickjacking on static websites
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated browsers
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL issues, best practices or insecure ciphers
  • Incomplete or missing SPF/DMARC/DKIM records
  • Self-exploitation attacks
  • Social Engineering attacks
  • Test versions of applications
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated