From fb56b48ab3ab3b0edf4a9d910e4cfd6f3885b5b3 Mon Sep 17 00:00:00 2001 From: Sven Seeberg Date: Tue, 26 Sep 2023 09:36:34 +0200 Subject: [PATCH] Add rules for known vulnerabilites --- POLICY.txt | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/POLICY.txt b/POLICY.txt index 705a527..d32c7c5 100644 --- a/POLICY.txt +++ b/POLICY.txt @@ -26,6 +26,9 @@ reports one of the following problems: - The vulnerability can be used to manipulate data within the service. - XSS, CSRF, RCE, authentication/authorization bypass, SQL inections, etc are considered relevant. +- Known vulnerabilities with a CVSS score greater than 7 that have not + yet been patched by the vendor and should therefore be mitigated by + other means until the patch is released and installed. We will consider a vulnerability report most likely as NOT relevant if it reports one of the following problems: @@ -34,6 +37,8 @@ it reports one of the following problems: - Publicly accessible version strings of used software. - Security vulnerablities that can only be used within the scope of the used account. +- The vulnerability exists in a third party software and is already + known. 4. Reporting Vulnerabilities @@ -44,9 +49,11 @@ Please make sure that you include the following information: - Which service is affected - How can the bug be used/exploited - Explanation of the risk +- If possible, include a estimated CVSS score Reports will be answered within 48 hours. If you have not received an -answer within that time frame, feel free to contact us again. +answer within that time frame, feel free to contact us again. Please do +not ask for updates on a ticket repeatedly. For used open source software, we recommend to file bug reports and/or pull requests against the upstream repositories. This includes hardening