This Responsible Disclosure and Reporter Acknowledgement Policy (“Policy”) explains how JJ竞技(拉萨)登录手游 works with Reporters to improve our online security.
What to Report to JJ竞技(拉萨)登录手游
Security incidents and details of vulnerabilities associated with publicly accessible JJ竞技(拉萨)登录手游 resources, including websites.
However, all information relating to vulnerabilities that you become aware of through this Policy is considered confidential (“Confidential Information”).
We require that all Reporters:
- Do not access employee personal information or JJ竞技(拉萨)登录手游 confidential information.
- If you accidentally access any of these, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not disrupt production systems or destroy data during security testing.
- Perform research only within the scope set out in this Policy.
- Use the email below to report vulnerability information to us.
- Collect only the information necessary to demonstrate the vulnerability.
- Securely delete JJ竞技(拉萨)登录手游 information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
If you fulfill these requirements, JJ竞技(拉萨)登录手游 will:
- Work with you to understand and attempt to resolve the issue quickly (confirming the report within 5 working days of submission)
- Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Reporting a vulnerability
If you have discovered something you believe to be an in-scope security vulnerability, you should follow the procedure:
- The findings, including contact details, should be sent to [email protected] .
- The findings should be communicated using PGP encrypted messages using the public key (PGP Fingerprint: DEAB 0447 1D10 3A05 9C1C 13F4 4F7E 11A7 0B6C 09FC)) available on this website.
- As much information as possible regarding the finding should be communicated to JJ竞技(拉萨)登录手游 to enable it to reproduce and verify the vulnerability, in order to implement appropriate remediation actions.
- The vulnerability findings must remain confidential until public disclosure of the vulnerability has been made by JJ竞技(拉萨)登录手游 on this website.
If more information is required regarding a reported vulnerability, JJ竞技(拉萨)登录手游 may contact the Reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number.
If the conditions listed above are satisfied, JJ竞技(拉萨)登录手游 will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.
Once the vulnerability has been removed, the Reporter will be acknowledged unless he/she wishes to remain anonymous, and listed (at his or her own discretion) on this page with a short description of the vulnerability reported.
By reporting vulnerability findings to JJ竞技(拉萨)登录手游, the Reporter acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation, subject to this Policy.
JJ竞技(拉萨)登录手游 reserves the right to accept or reject any security vulnerability disclosure report at its discretion.
For any questions about responsible disclosure of results for a submission, please contact us.
The following are considered outside the scope of this Policy:
- Software version disclosure/Banner identification issues
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
- Static content over HTTP
- Physical Testing
- Cookie valid after logout
- Cookie valid after password change/reset
- Cookie expiration
- Forgot password autologin
- Autologin token reuse
- Same Site Scripting
- Physical Testing
- Social Engineering (e.g. attempts to steal cookies, fake login pages to collect credentials)
- Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Issues related to rate limiting
- Login or Forgot Password page brute force and account lockout not enforced
- Services listening on port 80
- Internal IP address disclosure
- Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
Username / Email Enumeration
- via Login Page error message
- via Forgot Password error message
- via Registration
- Weak password policies
- Weak Captcha / Captcha bypass
Vulnerabilities impacting only old/end-of-life browsers/plugins including:
- Issues that have had a patch available from the vendor for at least 6 months
- Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
- Vulnerability reports relating to sites or network devices not owned by JJ竞技(拉萨)登录手游
- Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g., disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)