Security Policy
Services in Scope
This policy begins on 01.01.2019.
All services and subdomains under these domains are in scope:
- *.tagnull.de
- *.schminkding.de
Unallowed procedures
Please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam mails, or do other similarly questionable things. I also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic or try to brute-force logins.
Qualifying vulnerabilities
- Cross-site scripting
- Cross-site request forgery
- Mixed-content scripts
- Authentication or authorization flaws
- Information leaks like:
- Passwords
- Files that “look like they better shouldn’t be public”
- Server-side code execution bugs
Reporting
Please contact me via email with a written report of your findings. Please include all the steps that led to the exploitation of the vulnerability and also your contact details in order to be rewarded.
Rewards
As this is a privately hosted site - I won’t be able to provide you with high value bug bounties.
However you will be listed (if you want) on the acknowledgements page.
RCE vulnerabilities will be rewarded with up to 100€.