This is the bug bounty program for my personal web pages. Feel free to report anything on subdomains of the assets listed below. If you want to find out which subdomains exist you can use the Certificate Transparency search engine https://crt.sh/ and e.g. search for %.hboeck.de.

Not considered vulnerabilities

• SSRF: The server is not in an internal network, so there is no SSRF. Please don't report unless you can show a practical issue.
• Old TLS versions and ciphers: I'm trying to achieve a balance between compatibility and security, which means I won't disable some old features (e.g. TLS 1.0) for now. Please only report if you can show a practical attack that works against modern browsers.
• Missing or unsafe security headers: I'm setting security headers where it's practical and makes sense. However in some situations I use thirdparty software that's e.g. incompatible with strict CSP rules. Again: Please only report if you can show practical impact.
• Public directory listings: I have a couple of hosts where I share files publicly for a variety of reasons. These are intentionally public and not by mistake. In all cases they should contain a file 00README.txt explaining that they're intentionally public. Unless you find files in there that contain sensitive data or enable further attacks please don't report them.
• Intentional information disclosure: Some applications running on this server will expose their name or version, e.g. via headers or banners on connections. I don't believe it's a worthy goal to hide which software is running. As long as these don't expose vulnerable software please don't report them. However what you should report is unintentional information disclosure, e.g. if you can read out any information due to a bug that's not intentionally disclosed. (An example would be a Heartbleed-like bug.)
• Disclosure of code and artifacts from free software: Multiple applications in scope of this program are based on common free and open source software. These often include things like documentation, composer files, scripts or other files that are publicly accessible through the web server. As these aren't secret disclosing them is not a vulnerability.
• Disclosure of public keys. No joke: I got multiple reports where people found a public key of mine. Public keys are supposed to be public.
• Lack of brute force protection or open access to login panel: These issues are only relevant if weak passwords are used, and they're a poor defense in any case.
• Lack of DKIM/DMARC. (Known, support is planned, though probably only in softfail mode, as DMARC is inherently broken and incompatible with existing infrastructure.)

Disclosure Policy

• Let me know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Hanno's projects staff or contractors
• Any physical attempts against Hanno's projects property or data centers

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Hanno's projects and users safe!