S.A. Proto Wiki

User Tools

Site Tools

You are here: S.A. Proto Wiki ยป Proto IT Wiki ยป Responsible disclosure
ict:responsible-disclosure

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ict:responsible-disclosure [2020/08/26 18:56] โ€“ Recent disclosures added. jonathanict:responsible-disclosure [2020/09/09 08:39] (current) โ€“ [Configuration Issues] jonathan
Line 12: Line 12:
 If these conditions are adhered to, we promise in return: If these conditions are adhered to, we promise in return:
  
-  * to reply to your e-mail within 2 business days, and within 7 business days within the academic holidays of the University of Twente;ย +  * to reply to your e-mail within 14 days;ย 
-  * to fix the vulnerability within at most 31 days after we process your e-mail;+  * to fix the vulnerability within 60 days after we acknowledge the vulnerability;
   * to give you credit for disclosing the bug and/or vulnerability;   * to give you credit for disclosing the bug and/or vulnerability;
   * to allow you to publicly disclose the bug and/or vulnerability after we have fixed it, if you so wish;   * to allow you to publicly disclose the bug and/or vulnerability after we have fixed it, if you so wish;
Line 19: Line 19:
  
 Please keep in mind that this IT environment is run by volunteering students. While we take security incidents very serious, we don't have a dedicated, full-time team watching our security mailbox. Please keep in mind that this IT environment is run by volunteering students. While we take security incidents very serious, we don't have a dedicated, full-time team watching our security mailbox.
 +
 +====== Known configuration issues ======
 +Due to the number of duplicate reports, please be sure to check the list below for known issues.
 +
 +  * Our e-mail domains don't have any DKIM records present due to a technical incompatibility. We make do with SPF records.
 +  * There is no option to invalidate your own account sessions. We haven't found a way to make this work with our session driver and due to the low impact, we're leaving this as is.
  
 ====== PGP keys ====== ====== PGP keys ======
Line 30: Line 36:
 The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐Ÿ‘๐Ÿฝ The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐Ÿ‘๐Ÿฝ
  
-  * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]] alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//.ย +===== Security Vulnerabilities =====ย 
-  * **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]] alerted us to some missing SPF records on //August 20, 2020//.ย +  * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed a persistent XSS vulnerability on the User Dashboard on //August 7, 2020//.
-  * **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]] suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//.ย +
-  * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed an XSS vulnerability on the User Dashboard on //August 7, 2020//.+
   * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//.   * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//.
-  * **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** disclosed an XSS vulnerability in one of our API endpoints on //May 25, 2018//. 
   * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//.   * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//.
 +
 +===== Configuration Issues =====
 +  * **[[https://www.linkedin.com/in/mohammed-abdul-kareem4855/|Mohammed Abdul Kareem]]** alerted us to a missing ''X-Content-Type-Options'' header on //September 2, 2020//.
 +  * **[[https://www.linkedin.com/in/dhanumaalaian-r-b34338189/|Dhanumaalaian R]]** alerted us to some missing CAA records on //September 2, 2020//.
 +  * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//.
 +  * **[[https://www.linkedin.com/in/rohan-chaudhari-53aa51174|BABABOUNTY]]** alerted us to some missing HSTS headers on //August 28, 2020//.
 +  * **[[https://twitter.com/Adityarana1234?s=09|Aditya Rana]]** alerted us to some missing CSP headers on //August 28, 2020//.
 +  * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//.
 +  * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//.
 +  * **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]]** alerted us to some missing SPF records on //August 20, 2020//.
 +  * **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]]** suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//.
 +  * **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** alerted us to missing XSS protection in one of our API endpoints on //May 25, 2018//.
ict/responsible-disclosure.1598461000.txt.gz ยท Last modified: 2020/08/26 18:56 by jonathan