Scope kwetsbaarheid meldingen

Scope kwetsbaarheid meldingen

Kwetsbaarheden, die binnen dit Responsible Disclosure beleid vallen zijn (maar niet gelimiteerd tot)

  • Injection vulnerabilities
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS)
  • Remote Code Execution
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards
  • Directory/Path transversal
  • Exposed credentials

Kwetsbaarheden, die buiten dit Responsible Disclosure beleid vallen zijn (maar niet gelimiteerd tot): 

  • Account enumeration using brute-force attacks
  • Cross-Site Request Forgery
  • Weak password policies and password complexity requirements
  • Missing http security headers which do not lead to a vulnerability
  • Clickjacking on static websites
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated browsers
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL issues, best practices or insecure ciphers
  • Incomplete or missing SPF/DMARC/DKIM records
  • Self-exploitation attacks
  • Social Engineering attacks
  • Test versions of applications
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction