If you’ve discovered security or relevant in-scope issue in app.certifix.eu or www.certifix.eu, please follow up-to-date instructions on https://app.certifix.eu/.well-known/security.txt
If you discovered security issue on other connected domain (such as txp-association.cz) we reserve the right to exclude low-impact / best-practices-only bugs from bug bounty program.
We follow responsible disclosure principles, meaning, if you report vulnerabilities to us directly and everything goes well, you’re eligible for reward and being listed in hall of fame. All reports are assessed and handled individually, and so are offered the rewards.
Username not sanitized / Putting eg. "evil.com" instead of real user name will get sent as link in emails
Reason:GMail (and possibly other email user interfaces) automatically converts plain text into clickable links, and there is nothing we can do about it. Please check the source code of email, your name is not sent or used as link
You can register multiple user accounts by using "correct.email+some-text@gmail.com"
Reason:This is correct and intended behavior we opted-in for. So far, among circa 20 reports, no security issue was found. If you were to report this, include strong explanation or threat demonstration.
I can (D)DoS your application when requesting this URL multiple times, or using several IP addresses or botnet
Reason:Even though this is listed in "Out of scope definitions", to explain, we are aware that using such tools can bypass some of our performance/security measures, and we are not interested in such reports.
You can report DoS that is result of mis-using provided actions, such as "I upload this kind of file (or file this large) and the website/webapp gets inaccessible", but make sure there is actually crash or downtime/prolonged processing on our side, and not just your slow internet taking 99% of attack time to upload the data to our servers.
If we send the user to /logout url, he actually gets logged out
Reason:Yes, the logout url is not protected, but there is no actual "attack" or "security threat", you'll annoy the user and gain nothing. Exactly same behavior is present on "https://accounts.google.com/Logout" and it's not a security issue.
"If we compromise user's PC/phone ..." or "if we steal user's cookies ..." or "if we modify user's request through proxy ..."
Reason:Any attack that is feasible only when you compromised user's device or web-browser, is out of scope, because we cannot protect against such.
If you must report something similar, please ensure there is actually something we can do about it
In files uploaded to app.certifix.eu metadata are not removed (eg. image gps/exif)
Reason:Files uploaded to app.certifix.eu are protected by GDPR and user-agreements, and except for listed, are never shared outside of certification/verification process of corporate ownership. We are not obliged to remove metadata from such files and we will not do anything like this, because integrity (and originality) of files provided to us is most important.
Domain certifix.eu or any of the subdomains is not protected by DNSSEC
Reason:Because of the current IaaS provider (DigitalOcean) and specifically requirement of some of the IaaS components we use, we're unable to have DNSSEC enabled for our primary domain. This will be addressed eventually, but currently it's something we're unable to fix so we cannot give out bounty for this insecurity.
See for reference ie. Add DNSSEC support to the DNS manager, Implement Let's Encrypt on Load Balancer without having to dedicate the whole domain to DO DNS, and much more similar reports via search: https://ideas.digitalocean.com/network?search=dnssec