Security
While researching security vulnerabilities, it is requested that you refrain from:
- Denial of service attacks
- Spamming
- Social engineering (including phishing)
- Any physical attempts against data centers or offices
- Accessing confidential information such as financial resources, emails, etc. If you do access any of these resources, it is requested that you immediately stop testing, delete any confidential information you gathered and
email me.
- High volume automated scanning without prior permission
Please include the following in your report:
- Description of the vulnerability
- Steps to reproduce the vulnerability
- Proof of exploitability (such as a screenshot or video)
- Impact
- CVSSv3 Score
- Proof of Concept
- Browser, OS and, if applicable, app version used during testing
- IP Address(es) from which testing was done
Please note that no monetary rewards will be given for security issues reported.
To report a security vulnerability, please send a short summary of the vulnerability using the contact form at https://truewinter.dev/#contact. I will then email you back to request further information.
In scope:
Out of Scope:
- img.somebody-on.cc (Domain used for image hosting. Content on this domain may be uploaded by other users of the file host)
- *.rs.somebody-on.cc (Used for research)
- *.e.truewinter.dev (SendGrid)
- *.za-int.trwntr.cloud (Used for internal servers behind NAT)
- hz-ns*.trwntr.cloud (Externally managed DNS servers)
- *.ndt3.cloud (Replaced by trwntr.cloud)
- *.ndt3.top (Old CDN domain)
- ndtweb.freshdesk.com (Externally hosted support system)
- Self XSS
- Missing cookie flags
- SSL/TLS Best Practices
- Login/Logout/Unauthenticated CSRF
- Incomplete/Missing SPF/DKIM
- Clickjacking
- Known vulnerabilities in libraries without proof of concept
- Research servers:
- PoC servers:
- Archived repositories on GitHub
- Repositories marked as not production ready