Melden Sie potentielle Sicherheits Schwachstellen auf unserer Plattform WERTGARANTIE ist sich ihrer Verantwortung gegenüber Ihren Kunden bewußt. Unser Dienst wird im Rahmen unserer Möglichkeiten sicher entwickelt und betrieben. Dazu gehören auch regelmässige Sicherheitstests. Um unseren Kunden eine sichere Plattform zu gewährleisten. Trotzdem ist es möglich das es Schwachstellen gibt die uns entgehen, die aber durch Sie gefunden wurden. Im Rahmen dieser Initiative begrüssen wir es wenn Sie diese Schwachstellen uns melden, damit wir unseren Dienst noch Sicherer machen können. Der folgende Text ist in englisch, da wir erfahrungsgemäß auch sehr viele englisch sprachige Sicherheitsforscher auf unsere Plattform haben. Kontakt zu WERTGARANTIE E-Mail: security@wertgarantie-group.com Informe sobre cualquier fallo de ciberseguridad en nuestra plataforma. Wertgarantie es consciente de la responsabilidad que tiene con sus clientes. Nuestro servicio se desarrolla de la forma más segura posible. Esto también incluye pruebas de seguridad periódicas para garantizar la seguridad para nuestros clientes. Sin embargo, es posible que ciertas vulnerabilidades se nos hayan escapado, pero hayan sido descubiertas por usted. Como parte de esta iniciativa, le animamos a que nos informe de estas vulnerabilidades de seguridad para que podamos hacer nuestro servicio aún más seguro. Contacto garante: E-mail : security@wertgarantie-group.com Signalez les éventuelles failles de sécurité sur notre plateforme. Wertgarantie est consciente de sa responsabilité envers ses clients. Notre service est développé et exploité en toute sécurité dans la mesure de nos possibilités. Cela comprend également des tests de sécurité réguliers afin de garantir une plateforme sûre à nos clients. Cependant, il est possible que certaines vulnérabilités nous échappent, mais qui ont été découvertes par vous. Dans le cadre de cette initiative, nous vous encourageons à nous signaler ces failles de sécurité afin que nous puissions rendre notre service encore plus sécurisé. Contactez SFR: E-mail : security@wertgarantie-group.com WERTGARANTIE Vulnerability Program Rules We appreciate a productive relationship with the security research community. To honour all the external contributions that help us keep our users safe, we maintain a Vulnerability Program for Wertgarantie owned web properties. Services in scope In principle, any web service owned by Wertgarantie that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains: *.wertgarantie.de *.wertgarantie.com *.wertgarantie.nl *.wertgarantie.fr *.sfg.fr *.garante.es *.wertgarantie.at *.wertgarantie-group.com Qualifying vulnerabilities Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include: - Mixed-content scripts, - Cross-site scripting, - Cross-site request forgery, - Authentication or authorization vulnerabilites, - Server-side code execution vulnerabilites. Non-qualifying vulnerabilites - already reported vulnerabilities in outdated software. - results from an automated vulnerability scan. - Account-Enumeration - Denial-of-Service-Angriffe - SSL/TLS Best Practices Rules we are happy about every reported vulnerability. Please consider the following rules: Use for contact the following e-mail: security@wertgarantie-group.com. What we need : - A proper description of the vulnerability - Date and time when you did discover the vulnerability - IP address, hostname, domain name, url of the affected system - A working e-mail address, in case we have further questions and of course to be able to thank you - Please provide your name or handle so we know who to thank. If you do some research, that might can interrupt our services, please contact us first. If you’re account is blocked during research, you might have violated our terms of services and you should have contacted us first. But its not too late, please inform us immediately. Otherwise we consider this incident as a criminal act and trigger legal actions. Keep in mind we are appreciate your work and research, we have a common goal to make the internet a safer place. But we need to draw somewhere a line into the sand, because we are obliged to protect our customers and services from criminals. You reported a vulnerability and its still not fixed yet. Of course we do everything possible to fix the vulnerability but sometimes things take time. There might be design/architectural problems that makes the remediation more complicated and we need more time to fix it. Please be patient. If you like to disclose a vulnerability to the public please consider the following steps: - report the vulnerability to us first, to give us a fair change to fix it. Remember our customers well being might depend on that. - tell us that you plan to disclose the vulnerability and we can align on a proper procedure that ensures the safety of our customers and your urge to disclose. Final Words We honour security research and are grateful for every reported vulnerability that makes our service more secure. We thinks its against the security community spirit if this program turns into a business model, competition or game. Thats why we will never pay for reported vulnerabilities but be sure that we will show our appreciation in an adäquate manner. Thank you very much and we are looking forward to hear from you.