Created
April 29, 2016 13:59
-
-
Save ramanathanrv/1e1ae7b4061a9378fa1c27fb293b4a72 to your computer and use it in GitHub Desktop.
Policy for bug reporting and categories
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Focus areas | |
Cross site request forgery on critical actions (control panel is out of scope) | |
Cross site scripting (XSS) | |
Remote code execution / shell injection | |
Authentication bypass | |
SQL injection | |
P1/P2 Issues: | |
Remote code execution | |
SQL injection in critical areas leading to sensitive data disclosure | |
Authentication bypass in critical areas | |
CSRF of critical functions (leading to sensitive data disclosure or update) | |
P3: | |
Authentication bypass in important functions | |
Session Fixation With POC (of Account Takeover) | |
P4/P5: | |
XSS | |
Sensitive data in URL | |
Exposed session token in URL | |
Error pages with stacktrace | |
The following finding types are specifically excluded from the bounty | |
Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt | |
Use of known-vulnerable libraries without proof of exploitation such OpenSSL | |
Vulnerabilities affecting end of life browsers or platforms | |
Lack of secure/HTTP-only flags on non-sensitive cookies | |
Login or forgotten password page brute forcing and account lockout not being enforced | |
Application denial of service by locking user accounts | |
Password or account recovery policies, such as reset link expiration or password complexity | |
Reports from automated scripts or scanners | |
Network level denial of service (DoS/DDoS) vulnerabilities | |
Findings from physical testing such as office access (e.g. open doors, tailgating) | |
Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) | |
Functional, UI and UX bugs and spelling mistakes | |
HTTP 404 codes/pages or other HTTP non-200 codes/pages | |
Logged out cross-site request forgery (logout CSRF) | |
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality | |
Options / trace HTTP method being enabled | |
Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks | |
Fingerprinting / banner disclosure on common/public services | |
Clickjacking and issues only exploitable through clickjacking | |
No / weak captcha / captcha bypass | |
HTTPS mixed content scripts | |
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/ListofusefulHTTPheaders), e.g. | |
Strict-Transport-Security | |
X-Frame-Options | |
X-XSS-Protection | |
X-Content-Type-Options | |
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP | |
Content-Security-Policy-Report-Only | |
SSL issues, e.g. | |
SSL attacks such as BEAST, BREACH, renegotiation attack | |
SSL forward secrecy not enabled | |
SSL weak / insecure cipher suites |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment