Our association is constantly striving to offer a safe and up-to-date structure that can be used by guests and members. This should be secure, up-to-date and easy to use. Unfortunately, security vulnerabilities can never be ruled out and are part of everyday life - due to the diversity and fast pace of operating systems, underlying hardware/architecture, frameworks and so on. If you have found a vulnerability, we would be delighted if you would not exploit it, but help us to fix it and show digital moral courage.
If we become aware of or are notified of any weaknesses in our association's online services, we will take immediate action to rectify this as quickly as possible.
Procedure in the event of an emergency
- Please send us your findings on the security problems by email to webmaster@stadtfabrikanten.org (ideally encrypted).
- Do not exploit the vulnerability or problem yourself, for example by downloading, manipulating or deleting data or uploading code without authorization.
- Do not pass on information about the vulnerability to third parties.
- Do not carry out social engineering (e.g. phishing), DDoS attacks, spam or other attacks on us.
- Provide us with sufficient information so that we can reproduce and analyze the problem. If necessary, provide a contact option for queries.
As a rule, the address or URL of the affected system and a description of the vulnerability are sufficient. However, complex vulnerabilities may require further explanations and documentation.
What we promise
- We will try to close the vulnerability as quickly as possible.
- You will receive feedback from us on the receipt and progress of the notification/report.
- We will act in accordance with the instructions in the security policy mentioned here.
- You must not be afraid to report the problem to us: We will not inform law enforcement authorities in connection with your findings (as long as they are not recognizably criminal).
- Your report will be treated confidentially. This means that your personal data will not be passed on to third parties without your consent.
- We will be happy to name you in an acknowledgement if you give us permission.
Exemplary weak points
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference (IDOR)
- Remote Code Execution (RCE)
- Information leaks
- Inadequate error handling
- Unauthorized access to properties or accounts
- Possibility of exfiltration of data / information
- Actively exploitable backdoors
- Misconfigurations
- …
Useful information points for a vulnerability report
- Title / name of the vulnerability
- Vulnerability type
- Brief explanation without technical details
- Affected service / system / device
- Exploitation technique (e.g. remote, local)
- Authentication (guest, user, admin, …)
- Type of user interaction (headless, with user, …)
- Technical details
- Proof of concept
- Demonstration of possible solutions to the problem
- Author / contact details for queries
- Consent to mention a pseudonym/name and the vulnerability found in an acknowledgement
Hall of fame
The following vulnerabilities have been reported and fixed so far. Thanks to …
- 09.05.2024 - "Potential Security Risk in .htaccess Configuration" // fixed at 10.05.2024 // reported by Kulla Nehru
- 06.05.2024 - "Host Header Poisoning" // fixed at 10.05.2024 // reported by Varel Valensio
- 16.04.2024 - "Excessive Information Exposure via Metrics Endpoint" // fixed at 26.04.2024 // reported by Yogeswaran M
- 10.04.2024 - "~all" fuzziness in SPF record // fixed at 15.04.2024 // reported by Shivam Dhingra
- 10.04.2024 - Drupal security vulnerability // fixed at 11.04.2024 // reported by Shubham Sanjay Deshmukh
- 05.04.2024 - "Clickjacking Vulnerability in Pad Web Application" // fixed at 11.04.2024 // reported by Parth Narula
- 05.04.2024 - ".git Directory Exposure" // fixed at 11.04.2024 // reported by von Parth Narula
- 04.04.2024 - "Several configuration files containing sensitive information" // fixed at 08.04.2024 // reported by Suresh S
- 01.04.2024 - "Error log files were exposed" // fixed at 01.04.2024 // reported by Gaurang Maheta