Vulnerability Reporting
1. Introduction:
This policy outlines the process for third-party hackers, security researchers, and the general public to responsibly disclose vulnerabilities they discover in our systems, software, or services. We value the contributions of the security community and recognize the importance of their role in maintaining the highest security standards.
2. Scope:
This policy applies to any digital assets owned, operated, or maintained by ServerAstra. This includes websites, applications, servers, and other related technologies.
3. Reporting Process:
- Initial Report: Send your vulnerability report to our Security Team. Please provide as much detail as possible, including steps to reproduce the vulnerability, potential impact, and any proof-of-concept.
- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Evaluation: Our security team will evaluate the vulnerability. We aim to validate and determine its severity within 10 days.
- Feedback: We will provide feedback on the status and any planned remediation actions.
- Remediation & Disclosure: Once the vulnerability is addressed, we will inform you of the resolution and discuss coordinated public disclosure.
4. Safe Harbor:
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized concerning any applicable anti-hacking laws.
- Exempt from restrictions in our Terms of Service that would interfere with conducting security research.
- Lawful and helpful to the overall security of the Internet.
5. Responsible Disclosure Guidelines:
To encourage responsible disclosure, we ask that you:
- Do No Harm: Do not exploit the vulnerability beyond what is necessary to demonstrate it. Do not use it for malicious intent or to access unauthorized data.
- Avoid Data Breach: Do not extract, modify, or delete data. If Personally Identifiable Information (PII) is encountered, cease testing and report immediately.
- Maintain Confidentiality: Do not disclose the vulnerability to third parties or the public until we've had a chance to address it.
- Use Test Accounts: If testing requires accounts, create your own accounts for this purpose.
6. Out of Scope Vulnerabilities:
The following vulnerabilities are considered out of scope and will not be eligible for rewards:
- Our policies on presence or absence of SPF/DKIM/DMARC records.
- CSRF vulnerabilities on static pages (only on pages behind logon).
- Redirection from HTTP to HTTPS.
- HTML does not specify charset or uses an unrecognised charset.
- Cookie without HttpOnly flag set.
- Absence of using HTTP Strict Transport Security (HSTS).
- Clickjacking or the non-existence of X-Frame-Options on non-logon pages.
- Server or third-party application version revealed and possibly outdated without Proof of Concept on the exploitation.
- Reports of unsecured SSL/TLS ciphers and other misconfigurations.
- Generic vulnerabilities related to software or protocols not under control of ServerAstra.
- Distributed Denial of Service Attacks.
- Spam or Social Engineering techniques.
- Reports of regular scans like Port scanners.
- Publicly disclosed 0-day vulnerabilities which are already being patched/handled.
- Web Session persistence over credentials change/reset.
7. Rewards:
While we are grateful for all vulnerability reports, we offer rewards for significant findings based on the severity and impact of the vulnerability. Rewards range from €25 to €2,500. The final decision on the reward amount is at our discretion.
8. Conclusion:
We appreciate the time and effort of the security community in helping us maintain the highest security standards. By working together, we can ensure a safer digital environment for all our users.