What is this page about?

publiq vzw considers it important that its information and systems are secure.

Despite our concern for the security of these systems, it may occur that there still is a vulnerability.

If you have found a vulnerability in one of our systems, please let us know so that we can take measures as quickly as possible. We would like to work with you to protect our audience and our systems in a better way.

We have therefore opted for a policy of coordinated disclosure of vulnerabilities (also known as the ‘Responsible Disclosure Policy’) so that you can inform us when you discover a vulnerability.

This Responsible Disclosure Policy applies to all applications and systems of publiq. In any case of doubt, please contact us to clarify matters via security@publiq.be.

What we ask of you

If you discover a vulnerability in one of our systems, we ask you to:

Reporting the vulnerability

  • Report the vulnerability as soon as possible after discovery. Mail your findings to security@publiq.be - if you consider your insights to be sensitive, please reach out first so we can establish a secure means of communicating.

  • Provide sufficient information to reproduce the vulnerability so that we can solve the problem as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities more may be needed.

  • Leave your contact details, so that publiq can contact you to work together for a safe result. Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions.

  • Confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy.

Rules you must follow

Don’t disclose the vulnerability until we have been able to correct it. See below for possible publication.

  • Don’t exploit the vulnerability by unnecessarily copying, deleting, adapting or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.

  • Don’t use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.

  • Immediately erase all data obtained through vulnerability as soon as it is reported to VRT.

  • Don’t perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.

  • Don’t apply the following actions:
    • Placing malware (virus, worm, Trojan horse, etc.).

    • Copying, modifying or deleting data in a system.

    • Making changes to the system.

    • Repeatedly accessing the system or sharing access with others.

    • Using automated scanning tools.

    • Using the so-called "brute force" of access to systems.

    • Using denial-of-service or social engineering (phishing, vishing, spam,...).

Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with publiq. If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.


Accepted vulnerabilities

  • Remote code execution (RCE)

  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)

  • Code injections (HTML, JS, SQL, PHP, ES)

  • Cross-Site Scripting (XSS, except reflected XSS)

  • Cross-Site Requests Forgery (CSRF) with real security impact

  • Open redirect

  • Broken authentication & session management

  • Insecure direct object references (IDOR)

  • CORS misconfigurations with real security impact

  • Horizontal and vertical privilege escalation

  • Business Logic Errors

Refused vulnerabilities

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Known vulnerable 3rd party or open-source libraries unless the vulnerability can be exploited within an in-scope application

  • Missing best practices in SSL/TLS configuration

  • Any activity that could lead to the disruption of our service (DoS)

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Rate limiting or bruteforce issues on non-authentication endpoints

  • Missing best practices in Content Security Policy

  • Missing HttpOnly or Secure flags on cookies

  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors)

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis

  • Tabnabbing

  • Issues that require unlikely user interaction

  • Excessive Session timeouts

  • Password stuffing attacks

  • Disclosure of Internal IPs and Paths, unless it is a harmful exploit or demonstrates a business impact

  • Autocomplete enabled

  • Missing security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options

  • Social engineering, Phishing attacks, Physical attacks, and attacks against Network protocols

  • Self XSS

  • Exposed login panels

  • Subdomain takeovers without a proof-of-concept

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability

  • User enumeration

  • Uploading virus-infected files

  • Any findings that have no impact on confidentiality, availability and integrity

Scope

What we promise

  • If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take any legal action against you.
  • We will respond to your report within a short period of time, if possible within 10 working days, with our review of the report and any expected date for resolution.

  • We will treat your report confidentially and will not share your personal data with third parties without your consent, unless this is necessary to comply with a legal obligation.

  • We will keep you informed of the progress of solving the problem.

  • To thank you for any report of a security problem that is not yet known to us, we offer the opportunity to be listed in our "Hall Of Fame".

  • We strive to solve all problems within a short period of time.

  • We may choose to ignore low quality reports.

If you have any questions, we encourage you to address them to security@publiq.be.

In case of doubt about the applicability of this policy, please contact us first via this email address, to ask for explicit permission.

We reserve the right to change the content of this Policy at any time, or to terminate the Policy.

This text is a derivative work of "Responsible Disclosure" by VRT, which was based on the policy by Floor Terra, released under a Creative Commons Attribution licence 3.0.


Hall of fame

To thank you for any report of a security problem that is not yet known to us, we offer the opportunity to be listed in our "Hall Of Fame".

Did you spot a vulnerability?