Radancy
12-01-2022 Changed company name from Maximum to Radancy NL
04-11-2020 Added *.maximum.nl to scope
01-10-2020 Added (doorstromen.)mijnkombijdepolitie.nl to scope
27-5-2020 Removed werkenbijmcdonalds.nl from scope
06-11-2019 Added domain careers.evonik.com to scope.
04-11-2019 Updated Please do not report section with out-of-date Wordpress or Wordpress plugins.
Optimizing safety when it comes to the ICT systems is a top priority for Radancy NL. However, as such systems remain vulnerable, possible loopholes and weaknesses cannot be eliminated.
Hence, we would love to hear from you if you have found a weakness in one of our ICT systems. We will handle the safety issues accordingly, and therefore we make use of the following policy:
To provide enough information to reproduce the safety issue, ensuring that Radancy NL can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description could be necessary.
To not share the information regarding the safety issue until it has been solved.
To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue.
Broken Authentication
Circumvention of our framework's privacy and permission models
Cross-Site Request Forgery (CSRF/XSRF)
Persistent Cross-Site Scripting (XSS)
Remote Code Execution
Denial of service by send a specially crafted request. This does not include an overload of request or otherwise raw processing power (Also see "Please do not report")
Attacks requiring DNS takeover
Clickjacking without demonstration of impact
Denial of Service Vulnerabilities by using an overload of processing power or requests
Mail relay server configuration issues
Missing / loosely configured DNS SPF records
Missing DNSSEC
Missing Public Key Pinning headers
Missing/Loosely configured CSP headers (They are as strict as possible)
Open Redirect via autodiscover effects on autodiscover.maximum.nl
Password reset email capture
Publicly accessible login pages for cms/admin area. Note that /admin/ is a fake login panel which does not need vulnerability scanning.
Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
Self-XSS
Social hacking
Software version disclosure
Subresource Integrity (SRI) not implemented
Username dictionary attack
Wordpress or Wordpress plugins out-of-date versions within 30 days (we need time to update all our websites when a new version is out)
XSS requiring legacy browsers
Changing the system.
Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
Making use of a denial-of-service or social engineering.
Making use of “bruteforcing” to access to the system.
Repeatedly acquiring access to the system or sharing the access with others.
Spreading or distributing malware.
When a shortcoming in one of the in-scope assets is reported accordingly to the above stated terms and conditions, Radancy NL will not articulate any legal consequences to the notification.
Radancy NL will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement.
After consultation, Radancy NL can acknowledge you by publishing your name as the one who identified this particular safety issue.
Within ten working days, the system operator of Radancy NL will send you a confirmation of receipt.
Within twenty working days, the system operator of Radancy NL will send you an evaluation of the safety issue.
The system operator of Radancy NL will keep you updated on the progress of solving the safety issue.
The system operator of Radancy NL will try to resolve the safety issue as soon as possible, within a maximum time period of 90 days. After consultation with Radancy NL, it can be decided if and how the resolved safety issue will be published.
To thank you, a reward will be offered by Radancy NL. This reward will vary depending on the seriousness of the issue and the quality of the report.
| Scope Type | Scope Name |
|---|---|
| web_application | werkenbijdefensie.nl |
| web_application | www.werkenbijbakertilly.nl |
| web_application | werkenbijderet.nl |
| web_application | wp-mail.nl |
| web_application | no-reply.cloud |
| web_application | acme-challenge.nl |
| web_application | rudderplatform.com |
| web_application | mijnkombijdepolitie.nl |
| web_application | doorstromen.mijnkombijdepolitie.nl |
| web_application | *.maximum.nl |
| web_application | ruddercms.nl |
| web_application | nossl.nl |
| web_application | devmaximum.com |
| web_application | maximum-status.com |
| web_application | preprod.nl |
| web_application | qatest.nl |
| web_application | ruddercms.com |
| web_application | humanchemistry.evonik.com |
| web_application | dropr.nl |
| web_application | www2.werkenbijdefensie.nl |
| web_application | werkenbijdnb.nl |
| Scope Type | Scope Name |
|---|---|
| web_application | careers.evonik.com |
| web_application | radancy.com |
| web_application | radancy.nl |
| web_application | successfactors.eu |
| web_application | evonik.com |
| web_application | mandrill.maximum.nl |
| web_application | *.evonik.com |
| web_application | maximum.com |
| web_application | autodiscover.maximum.nl |
| web_application | maxcld.nl |
Firebounty have crawled on 2022-01-12 the program Radancy on the platform Hackerone.
FireBounty © 2015-2024
