Responsible Disclosure Policy Forhosting
At Forhosting we find the safety of our systems, our network and our products very important. We pay a lot of attention to this during the development and maintenance. Of course, it can nevertheless prevent a weak spot from being discovered. It's nice if you let us know. We prefer to hear this as soon as possible, so that we can take measures to protect our customers.
This document describes the procedure we have prepared for this.
Send the report as soon as possible after discovering the vulnerability to firstname.lastname@example.org. Please encode your findings preferably with our EUR PGP key.
> Do not share information about the vulnerability with others until the problem is resolved.
> Provide information about how and when the vulnerability or malfunction occurs. Describe clearly how this problem can be reproduced and provide information about the method used and the time of investigations.
> Be responsible with the knowledge of the security issue. Do not perform any actions beyond what is necessary to demonstrate the security problem. Do not abuse the vulnerability and do not keep confidential data obtained through vulnerability in the system.
> Leave contact information (email address or phone number) so that Forhosting can contact you about the assessment and progress of the vulnerability resolution. We also take anonymous reports seriously.
> Do not use physical attacks, DDOS attacks or social engineering.
> Do not use a tool that generates a significant volume of traffic.
Our responsible disclosure policy is not an invitation to actively scan our company network for weak spots. We monitor our network ourselves. As a result, there is a good chance that a scan will be picked up and our Security Operation Center (SOC) will investigate this.
When you report a suspected weak spot in one of our systems, we treat it in the following way:
> You will receive a receipt from Forhosting within three working days of the report.
> You will receive a response within three working days after the confirmation of receipt stating an assessment of the report and the expected date of the solution. We also strive to keep you informed about the progress of the problem.
> Forhosting treats your report confidentially and does not share your information with third parties without your permission, unless legally required or by a court decision.
> Forhosting will work with you to determine if and how the reported problem is reported. Notification will only take place after the problem is resolved. In the reporting of the reported problem, Forhosting will, if desired, state your name as an explorer.
This Responsible Disclosure scheme is not intended for reporting complaints. Should this be the case, we will not respond to it. The scheme is also not intended for:
> Reporting that the website is not available.
> Reporting fake e-mails (phishing e-mails).
> Issues found through automated testing.
> Presence of banner or version information.
> CSRF-able actions that do not require authentication (or a session) to exploit.
> Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
> Reports related to the following security-related headers:
> Strict Transport Security (HSTS).
> XSS mitigation headers (X-Content-Type and X-XSS-Protection).
> DNSSEC/DANE issues.
> Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario).
> Report fraud.
For this and other matters, please contact us through our ticket system and / or contact form.
To encourage the reporting of problems with the security of our systems Forhosting has a bug bounty scheme. For reports that actually give rise to remedying a vulnerability or a change in our services, we make an appropriate rewards available. We decide whether the report is eligible and the nature and level of the remuneration.
Specific problems that we believe do not pose a threat within our infrastructure are based on bug bounties.
EXCLUDED TYPES OF SECURITY PROBLEMS
> (D)DOS attacks
> Problems that equate to self-XSS
> Error messages without sensitive data
> Notifications from which we use software to derive
> Problems that use severely outdated operating systems, browsers, or plugins
> Problems we are already familiar with
This policy has been drawn up on the basis of the NCSC's Guideline Responsible Disclosure .