Added suggested changes/corrections to RDP

This commit is contained in:
Pieter-Jan Cassiman 2020-11-19 10:11:24 +01:00
parent 8c281d4273
commit 46bb5e6061

View file

@ -51,12 +51,12 @@ The security risk, data leak, compromised infrastructure, etc will be henceforth
\begin{enumerate}
\item If the reporter abides by the rules and guidelines outlined in this document, no legal actions of any kind will be taken against the reporter, by Zeus WPI.
\item If the reporter abides by the rules and guidelines outlined in this document, no legal actions of any kind will be taken against the reporter, by Zeus WPI. This is under the assumption that no applicable laws were broken, at which point Zeus WPI is obligated to notify the relevant authorities.
\item During the process of resolving the vulnerability, the reporter will be kept in the loop and updated on the progress Zeus WPI makes towards resolving the vulnerability.
\item After taking notice of the vulnerability Zeus WPI will do everything in its power to resolve the vulnerability as quick as possible. The reporter can expect a response within seven days, of initially bringing the attention of Zeus WPI to the vulnerability.
\item After the vulnerability has been resolved, the reporter is free to publish about the vulnerability and the way they discovered it.
\item However Zeus WPI would appreciate if they could review the publication before it is made public, in order to verify the correctness of the publication. If the vulnerability is particularly interesting Zeus WPI can ask the reporter to write a publication for the blog managed by Zeus WPI.
\item If desired, the reporter can choose to remain anonymous. However, in such a case, Zeus WPI cannot be held responsible if the reporter is (or can be) identified via the submitted information and/or information.
\item However Zeus WPI would appreciate if they could review the publication before it is made public, in order to verify the correctness of the publication. If the vulnerability is particularly interesting Zeus WPI can offer the reporter to write a publication for the blog managed by Zeus WPI.
\item If desired, the reporter can choose to remain anonymous. However, in such a case, Zeus WPI cannot be held responsible if the reporter is (or can be) identified via the submitted data and/or information.
\end{enumerate}
\section{Our expectations}
@ -70,7 +70,7 @@ The security risk, data leak, compromised infrastructure, etc will be henceforth
\section{Applicable rules}
\begin{enumerate}
\item The reporter keeps the vulnerability a secret until Zeus WPI has had a change to resolve the vulnerability. This implies that the reporter does not communicate about the vulnerability or does not make any publications until Zeus WPI has remedied the vulnerability.
\item The reporter keeps the vulnerability confidential until Zeus WPI has had a change to resolve the vulnerability. This implies that the reporter does not communicate about the vulnerability and does not make any publications until Zeus WPI has remedied the vulnerability.
\item The reporter does not abuse the situation; this implies the following:
\begin{itemize}
\item The reporter only does the absolute minimum that is required to determine the vulnerability.
@ -80,8 +80,9 @@ The security risk, data leak, compromised infrastructure, etc will be henceforth
\item The reporter does not perform any of the following actions:
\begin{itemize}
\item Placing malware, of any kind, in the vulnerability.
\item Removing, altering or adding data.
\item Make changes to the vulnerability, or the system that the vulnerability runs ons.
\item Removing, altering, adding or copying data.
\item Make changes to the system that the vulnerability runs ons.
\item Reinforce the vulnerability, with the intention of (re-)using it a later time.
\item Repeatedly gain access to the vulnerability, or share this access with others.
\item Using automated scanning tools on production-instances of our applications. On privately run instances this is allowed, since they operate as a sandbox.
\item Using brute-force to gain access to systems managed by Zeus WPI.