User Tools

Site Tools


ict:responsible-disclosure

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ict:responsible-disclosure [2020/09/01 22:26] โ€“ [Hall of Fame ๐Ÿ†] jonathanict:responsible-disclosure [2020/09/09 08:39] (current) โ€“ [Configuration Issues] jonathan
Line 36: Line 36:
 The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐Ÿ‘๐Ÿฝ The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐Ÿ‘๐Ÿฝ
  
 +===== Security Vulnerabilities =====
 +  * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed a persistent XSS vulnerability on the User Dashboard on //August 7, 2020//.
 +  * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//.
 +  * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//.
 +
 +===== Configuration Issues =====
 +  * **[[https://www.linkedin.com/in/mohammed-abdul-kareem4855/|Mohammed Abdul Kareem]]** alerted us to a missing ''X-Content-Type-Options'' header on //September 2, 2020//.
 +  * **[[https://www.linkedin.com/in/dhanumaalaian-r-b34338189/|Dhanumaalaian R]]** alerted us to some missing CAA records on //September 2, 2020//.
   * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//.   * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//.
 +  * **[[https://www.linkedin.com/in/rohan-chaudhari-53aa51174|BABABOUNTY]]** alerted us to some missing HSTS headers on //August 28, 2020//.
 +  * **[[https://twitter.com/Adityarana1234?s=09|Aditya Rana]]** alerted us to some missing CSP headers on //August 28, 2020//.
   * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//.   * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//.
   * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//.   * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//.
   * **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]]** alerted us to some missing SPF records on //August 20, 2020//.   * **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]]** alerted us to some missing SPF records on //August 20, 2020//.
   * **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]]** suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//.   * **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]]** suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//.
-  * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed an XSS vulnerability on the User Dashboard on //August 7, 2020//. 
-  * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//. 
   * **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** alerted us to missing XSS protection in one of our API endpoints on //May 25, 2018//.   * **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** alerted us to missing XSS protection in one of our API endpoints on //May 25, 2018//.
-  * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//. 
ict/responsible-disclosure.1598991982.txt.gz ยท Last modified: 2020/09/01 22:26 by jonathan