Security
While researching security vulnerabilities, it is requested that you refrain from:
- Denial of service attacks
- Spamming
- Social engineering (including phishing)
- Any physical attempts against data centers or offices
- Accessing confidential information such as financial resources, emails, etc. If you do access any of these resources, it is requested that you immediately stop testing, delete any confidential information you gathered and email me.
- High volume automated scanning without prior permission
Please include the following in your report:
- Description of the vulnerability
- Steps to reproduce the vulnerability
- Proof of exploitability (such as a screenshot or video)
- Impact
- CVSSv3 Score
- Proof of Concept
- Browser, OS, and, if applicable, app version used during testing
- IP Address(es) from which testing was done
Please note that no monetary rewards will be given for security issues reported.
To report a security vulnerability, please send a short summary of the vulnerability using the contact form at https://truewinter.dev/#contact. I will then email you back to request further information.
In scope:
- *.truewinter.dev
- *.truewinter.cloud
- *.truewinter.net
- *.truewinter.xyz
- *.twdns.top
- *.t3.cx (Please do not do automated scanning against t3.cx, www.t3.cx or origin.t3.cx without permission)
- *.framed-app.com (Please do not do automated scanning against cf-api.framed-app.com without permission)
- *.ndt3.me
- My DN42 Network
- AS211869
- Client websites (Please do not do automated scanning against client websites. Additionally, spamming forms will get your IP address blocked)
- Software
Out of Scope:
- *.e.truewinter.dev (SendGrid)
- *.za-int.truewinter.cloud (Used for internal servers not accessible on the internet)
- *.nicholis.co.za (Testing and internal services domain)
- *.nicholisdutoit.co.za (Testing domain)
- cdn.truewinter.net
- cdn-b.truewinter.net
- *.twssl.top
- Spamming forms (contact forms, comments, etc.) is forbidden, and may result in your IP address being blocked as well as any associated accounts being suspended.
- Self XSS
- Missing cookie flags
- SSL/TLS Best Practices
- Login/Logout/Unauthenticated CSRF
- Incomplete/Missing SPF/DKIM
- Clickjacking
- Known vulnerabilities in libraries without proof of concept
- Archived repositories on GitHub
- Repositories marked as not production ready