Vulnerability Disclosure Policy (VDP)

Du hast eine Schwachstelle in einem unserer Systeme gefunden? You have found a vulnerability in one of our systems?

Online Termin vereinbaren

We know that any system and infrastructure can be(come) vulnerable. We encourage everyone to report security vulnerabilities. This protects us, our customers, partners and stakeholders and makes the world a little more secure.
  • Look for security vulnerabilities according to the policy
  • Report it to us responsibly via security@fidela.at
  • Get a free YubiKey
  • Thank you for making our systems more secure 💖
  • Thanks to syslifters.com for the VDP

Safe Harbour

We will not take any legal action against activities complying with this policy. If legal actions are initiated by third parties due to activities compliant with this policy, we will take actions to make it known to responsibles and/or legal authorities.

Our promise

We will review and respond to your report promptly and conduct an open dialog with you. We will provide a timeline for when we expect the vulnerability to be fixed. As a mark of recognition, we reward you with an up-to-date YubiKey for your personal use (max. one per person per year) for high or critical issues (following CVSSv3.1). We will give you credits for your findings and include you in our hall of fame if desired.

Your promise

You promise to use discovered vulnerabilities for no other purpose than reporting them to us. Vulnerabilities are reported exclusively and privately, promptly after detection. You promise to not take actions with the intention to harm us, our customers, partners, or any other stakeholder.

Scope

The scope of this vulnerability disclosure policy (VDP) includes:
  • *.fidela.at
  • *.fidela.cloud
The following activities are prohibited:
  • Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc)
  • Spamming
  • Social engineering (including phishing)
  • Physical access (incl entering or surveilling properties)
  • Attacking non-internet facing systems (internal networks, private IPs, workstations, etc)
  • Installing persistent backdoors
Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP. This includes (but is not limited to):
  • Presence/absence of DKIM/SPF/DMARC records
  • Missing http headers (such as CSP, Permissions-Policy, etc)
  • Clickjacking
  • Missing http cookie flags
  • Information disclosure of non-sensitive contents (like robots.txt, sitemap.xml, files, directories, etc)
  • Absence of best practices
  • Self-Attacks
  • CSRF with low or no impact
  • Open ports
  • Attacks requiring pre-conditions that would be security issues per se (e.g. usage of outdated browsers, vulnerable browser plugins, weak userpasswords)
  • Lookalike domains
  • Homograph attacks
  • Broken links
  • Metadata in assets (like images, PDFs, etc)
  • Theoretical attacks with no realistic exploit scenario
  • Weak SSL/TLS settings
  • Software that is out of date without proven security impact
  • Missing multi-factor authentication
  • Recently patched vulnerabilities in third-party software within two weeks after publication