TrueWinter

Security

While researching security vulnerabilities, it is requested that you refrain from:

Denial of service attacks
Spamming
Social engineering (including phishing)
Any physical attempts against data centers or offices
Accessing confidential information such as financial resources, emails, etc. If you do access any of these resources, it is requested that you immediately stop testing, delete any confidential information you gathered and email me.
High volume automated scanning without prior permission

Please include the following in your report:

Description of the vulnerability
Steps to reproduce the vulnerability
Proof of exploitability (such as a screenshot or video)
Impact
CVSSv3 Score
Proof of Concept
Browser, OS, and, if applicable, app version used during testing
IP Address(es) from which testing was done

Please note that no monetary rewards will be given for security issues reported.
To report a security vulnerability, please send a short summary of the vulnerability using the contact form at https://truewinter.dev/#contact. I will then email you back to request further information.

In scope:

*.truewinter.dev
*.trwntr.cloud
*.wntr.cc (Please do not do automated scanning against wntr.cc, www.wntr.cc or origin.wntr.cc without permission)
*.ndt3.me
My DN42 Network
Client websites
Software

Out of Scope:

*.somebody-on.cc (Content on this domain should be considered user-generated content. Services on this domain are externally managed)
*.e.truewinter.dev (SendGrid)
*.za-int.trwntr.cloud (Used for internal servers not accessible on the internet)
*.ndt3.cloud (Replaced by trwntr.cloud)
*.ndt3.top (Old CDN domain)
*.nicholis.co.za (Testing and internal services domain)
*.nicholisdutoit.co.za (Testing domain)
Self XSS
Missing cookie flags
SSL/TLS Best Practices
Login/Logout/Unauthenticated CSRF
Incomplete/Missing SPF/DKIM
Clickjacking
Known vulnerabilities in libraries without proof of concept
Archived repositories on GitHub
Repositories marked as not production ready