Both sides previous revisionPrevious revisionNext revision | Previous revision |
ict:responsible-disclosure [2020/09/01 22:26] โ [Hall of Fame ๐] jonathan | ict:responsible-disclosure [2020/09/09 08:39] (current) โ [Configuration Issues] jonathan |
---|
The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐๐ฝ | The following people have already responsibly disclosed a security vulnerability or configuration issue in our website. A huge thanks to them! ๐๐ฝ |
| |
| ===== Security Vulnerabilities ===== |
| * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed a persistent XSS vulnerability on the User Dashboard on //August 7, 2020//. |
| * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//. |
| * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//. |
| |
| ===== Configuration Issues ===== |
| * **[[https://www.linkedin.com/in/mohammed-abdul-kareem4855/|Mohammed Abdul Kareem]]** alerted us to a missing ''X-Content-Type-Options'' header on //September 2, 2020//. |
| * **[[https://www.linkedin.com/in/dhanumaalaian-r-b34338189/|Dhanumaalaian R]]** alerted us to some missing CAA records on //September 2, 2020//. |
* **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//. | * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//. |
| * **[[https://www.linkedin.com/in/rohan-chaudhari-53aa51174|BABABOUNTY]]** alerted us to some missing HSTS headers on //August 28, 2020//. |
| * **[[https://twitter.com/Adityarana1234?s=09|Aditya Rana]]** alerted us to some missing CSP headers on //August 28, 2020//. |
* **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//. | * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//. |
* **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//. | * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//. |
* **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]]** alerted us to some missing SPF records on //August 20, 2020//. | * **[[https://www.linkedin.com/in/badal-sardhara-9b43a41a5|Badal Sardhara]]** alerted us to some missing SPF records on //August 20, 2020//. |
* **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]]** suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//. | * **[[https://www.linkedin.com/in/niraj1mahajan|Niraj Mahajan]]** suggested that deleting user accounts should require a password, making the site a little safer, on //August 19, 2020//. |
* **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed an XSS vulnerability on the User Dashboard on //August 7, 2020//. | |
* **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//. | |
* **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** alerted us to missing XSS protection in one of our API endpoints on //May 25, 2018//. | * **[[https://www.linkedin.com/in/vishaljain113/|Vishal Jain]]** alerted us to missing XSS protection in one of our API endpoints on //May 25, 2018//. |
* **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//. | |