Responsible Disclosure
Help us keep our systems secure by responsibly reporting vulnerabilities through our coordinated vulnerability disclosure program.
Please read this before submitting your report.
We make every effort to keep our systems secure. Still find a problem in our security? Please report it so we can fix it right away. We call this reporting a vulnerability disclosure (also known as coordinated vulnerability disclosure and responsible disclosure).
How do you report a problem?
Send it to us through our main contact form and choose Responsible disclosure as the reason for contact.
Provide detailed information
Give us as much information as possible; that will help us reproduce and solve the problem. Provide us with a detailed description with IP addresses, logs, screenshots, etc.
Include your contact information
Give us your contact information, a phone number or a mailing address. This enables us to reach you if we want to know more.
What should you pay attention to?
Confidentiality
Don't tell anyone else about it. Keep the vulnerability confidential until we've had sufficient time to develop and publish a fix.
Data Clean-up
Destroy data you have obtained. Once you've confirmed the vulnerability, safely dispose of any sensitive data you may have accessed during the testing process.
Scope Limitation
Do not go further than necessary to prove the problem. Testing should be limited to demonstrating the vulnerability without causing unnecessary impact.
No Exploitation
Do not abuse the security breach or we will be forced to file a report. Misuse of vulnerabilities may result in legal action.
What can you report?
Examples of reportable vulnerabilities:
- Remote Code Execution
- Cross Site Scripting (XSS) vulnerabilities
- Cross Site Request Forgery (CSRF) vulnerabilities
- SQL injection vulnerabilities
- Vulnerabilities related to encryption
- Unintended publication of sensitive data
- Security misconfiguration
- Unauthorized access to data
What you don't have to report (out of scope):
The following items fall outside the scope of our vulnerability disclosure program:
Social Engineering
Phishing, pretexting, baiting and similar techniques.
Resource & DoS Attacks
Resource attrition and (Distributed) Denial of Service attacks.
Physical Attacks
Physical attacks or unauthorized in-person access.
Non-reproducible Issues
Situations that are not reproducible or whose impact has not been demonstrated to be reproducible.
Unvalidated Findings
Vulnerabilities that have not been validated with a second method or tool (e.g., tool A detects vulnerability, tool B does not).
Cosmetic Issues
Layout differences between browsers. Report via [email protected] if necessary.
User Behavior
Leaving workstations unattended, clicking on links or using key combinations.
Port/Service Listings
Simple listings of ports, services or version numbers without further context or abuse scenario.
Public Files
Public files or directories that do not contain confidential information and should be publicly available.
Non-sensitive Cookies
Missing HTTP-only or Secure flags on cookies that do not contain sensitive information.
TLS/SSL Configuration
TLS/SSL configuration issues with no working proof-of-concept or no demonstrable impact (e.g., SSL Forward Secrecy disabled).
Missing Security Headers
Missing HTTP security headers (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, Strict-Transport-Security).
OPTIONS Method
OPTIONS HTTP method available without evidence of abuse.
URL Redirects
URL redirects to legitimate and valid pages.
Clickjacking
Clickjacking or content spoofing with no obvious security impact.
Local Spoofing
Local content spoofing or text injection on error pages (such as 404s) without sensitive interaction.
Host Header Injection
Host Header Injection with no evidence of abuse.
DNS Records
Missing or incorrect SPF, DKIM, DMARC or CAA DNS records without demonstrable impact.
Fingerprinting
Fingerprinting or version information of public services without known vulnerability or exploitability.
Outdated Software
Outdated software versions without publicly known exploits or without working exploitation in context of our system.
Browser/Platform Issues
Issues occurring only when using outdated or unpatched browsers or platforms on the user side.
Hardening Absence
Absence of hardening or security best practices without direct vulnerability (e.g., xmlrpc.php on WordPress, absence of rate-limiting).
Unrealistic Interactions
Issues requiring improbable or unrealistic user interaction.
Low-Impact CSRF
Cross-site Request Forgery (CSRF) with minimal or no security impact.
Third-Party Services
Services running at external third parties; reports should go through their own responsible disclosure process.
External Breaches
Information from data breaches at external parties, such as email addresses found through public breaches.
Recent Patches
Vulnerabilities for which patches are available for less than 14 days.
Known Protocol Issues
Known problems with protocols or technologies not in our management domain (e.g., ARP, HL7).
Duplicates
Duplicates of previously reported vulnerabilities; only the first report will be addressed.
Known problems
There are also problems that are already known to us and that we are working on or recognize as accepted risks. We do not name these problems on the website. However, our support team is aware of them and will indicate them. As a result, the issue will not be addressed.
Security.txt
With the publication of RFC 9116, a unified way is now available for organizations to publish their vulnerability disclosure policies and contacts. To that end, a text format was devised that is readable by both machines and humans and published on the website in the security.txt file.
Our security.txt file can be found here: https://defenseacademy.eu/.well-known/security.txt
Agree?
By submitting your finding to DefenseAcademy, you acknowledge that you have read and agree to our terms and conditions. You also represent to us that you are the sole creator of the submission and hereby grant us permission to use, reproduce, copy, modify and dispose of your submission in any manner we determine. You also agree that you may not use your submission for marketing or financing purposes or as a reference in any personal or professional presentation, documentation or other material and that you may not use in any way (either on the Internet or through any other means of communication) our trade name, company name, logo or trademark.