Responsible disclosure policy

Last updated 7-2-2024
Introduction 
At 永利皇宫app下载注册, the safety is our top priorities. Our specialists work continuously to optimise our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present. Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting them to us, so that we can improve the safety and reliability of our systems together and those or our members. To encourage reporting vulnerabilities to 永利皇宫app下载注册, we would urge you to send any vulnerability you detect to us. Any researcher who provides a high quality report which will be important for the continuity and reliability of the transport industry .  
Description 
Responsible Disclosure indicates 永利皇宫app下载注册’s continued commitment to improve its security posture. As part of this process, we work closely with security researchers to identify and report vulnerabilities they find within our systems. 
Publication 
You are always allowed to publish about your findings but always discuss it upfront with 永利皇宫app下载注册. We want to make sure that issues are fixed before publication.  永利皇宫app下载注册 appreciates security researchers efforts in reporting vulnerabilities on its systems as long as the discovered vulnerability is in scope, detected without the use of intrusive testing techniques, and follows the disclosure guidelines below: 
Bounties 
Depending on the severity of the finding we will be willing to offer a bounty as we are a Non-profit organization this will be limited. 
Rules of Engagement 
Reports are required to be written in English. Please include a clear attack scenario outlining detailed reproduction steps. Make sure that during your investigation you do not cause any damage or disruptions to our systems so do not alter, change or delete data from our systems. Do not put a backdoor in the system, not even for the purpose of showing the vulnerability as inserting a backdoor will cause even more damage to the safety of our systems and do not penetrate the system any further than required for the purpose of your investigation. Make sure that during your research you do not inadvertently cause a data breach (i.e. sharing screenshots or recordings on 3rd party cloud solution). Law regulations for Responsible Disclosure may differ by country. We strongly advise you to take these regulations into account. Your investigation on our systems could be regarded as a criminal act under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of 永利皇宫app下载注册’s systems, please be aware that local law takes precedence over 永利皇宫app下载注册 rules. Nevertheless, if you act in good faith and according to 永利皇宫app下载注册’s rules, we will not report your actions to the authorities, unless required to do so by law. 
General 
  • In case that a reported vulnerability was already known to the company from their own tests or other reporting, it will be flagged as a duplicate 
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity 
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted 
  • Do not utilise social engineering in order to gain access to our systems. 
  • Vulnerabilities detected by 永利皇宫app下载注册 employees or providers are excluded  
 
Out of Scope for this policy is:  
Domains 
  • Domains not owned by 永利皇宫app下载注册 
Application 
  • Pre-Auth Account takeover/OAuth squatting 
  • Self-XSS that can't be used to exploit other users 
  • Verbose messages/files/directory listings without disclosing any sensitive information 
  • CORS misconfiguration on non-sensitive endpoints 
  • Missing cookie flags 
  • Missing security headers 
  • Cross-site Request Forgery with no or low impact 
  • Presence of autocomplete attribute on web forms 
  • Reverse tabnabbing 
  • Bypassing rate-limits or the non-existence of rate-limits. 
  • Best practices violations (password complexity, expiration, re-use, etc.) 
  • Clickjacking on pages with no sensitive actions 
  • CSV Injection 
  • Sessions not being invalidated (logout, enabling 2FA, etc.) 
  • Mixed content type issues 
  • Cross-domain referrer leakage 
  • Anything related to email spoofing, SPF, DMARC or DKIM 
  • Content injection on error pages 
  • Username/email enumeration 
  • Email bombing 
  • HTTP Request smuggling without any proven impact 
  • Homography/typosquatting 
  • XMLRPC enabled 
  • Banner grabbing/Version disclosure 
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability 
  • Weak SSL configurations and SSL/TLS scan reports 
  • Not stripping metadata of images 
  • Disclosing API keys without proven impact 
  • Same-site scripting 
  • Blind SSRF without proven impact (DNS pingback only is not sufficient) 
  • Disclosed and/or misconfigured Google API key (including maps) 
  • Host header injection without proven impact 
  • Spam, social engineering and physical attacks 
  • DoS/DDoS attacks or brute force attacks 
  • Reports that state that software is out of date/vulnerable without a proof-of-concept 
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts