At DCSA, the safety is our top priorities. Our specialists work continuously to optimise our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present. Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting them to us, so that we can improve the safety and reliability of our systems together and those or our members. To encourage reporting vulnerabilities to DCSA, we would urge you to send any vulnerability you detect to us. Any researcher who provides a high quality report which will be important for the continuity and reliability of the transport industry .
Description
Responsible Disclosure indicates DCSA’s continued commitment to improve its security posture. As part of this process, we work closely with security researchers to identify and report vulnerabilities they find within our systems.
Publication
You are always allowed to publish about your findings but always discuss it upfront with DCSA. We want to make sure that issues are fixed before publication. DCSA appreciates security researchers efforts in reporting vulnerabilities on its systems as long as the discovered vulnerability is in scope, detected without the use of intrusive testing techniques, and follows the disclosure guidelines below:
Bounties
Depending on the severity of the finding we will be willing to offer a bounty as we are a Non-profit organization this will be limited.
Rules of Engagement
Reports are required to be written in English. Please include a clear attack scenario outlining detailed reproduction steps. Make sure that during your investigation you do not cause any damage or disruptions to our systems so do not alter, change or delete data from our systems. Do not put a backdoor in the system, not even for the purpose of showing the vulnerability as inserting a backdoor will cause even more damage to the safety of our systems and do not penetrate the system any further than required for the purpose of your investigation. Make sure that during your research you do not inadvertently cause a data breach (i.e. sharing screenshots or recordings on 3rd party cloud solution). Law regulations for Responsible Disclosure may differ by country. We strongly advise you to take these regulations into account. Your investigation on our systems could be regarded as a criminal act under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of DCSA’s systems, please be aware that local law takes precedence over DCSA rules. Nevertheless, if you act in good faith and according to DCSA’s rules, we will not report your actions to the authorities, unless required to do so by law.
General
In case that a reported vulnerability was already known to the company from their own tests or other reporting, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
Do not utilise social engineering in order to gain access to our systems.
Vulnerabilities detected by DCSA employees or providers are excluded
Out of Scope for this policy is:
Domains
Domains not owned by DCSA
Application
Pre-Auth Account takeover/OAuth squatting
Self-XSS that can't be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking on pages with no sensitive actions
CSV Injection
Sessions not being invalidated (logout, enabling 2FA, etc.)
Mixed content type issues
Cross-domain referrer leakage
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection on error pages
Username/email enumeration
Email bombing
HTTP Request smuggling without any proven impact
Homography/typosquatting
XMLRPC enabled
Banner grabbing/Version disclosure
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Weak SSL configurations and SSL/TLS scan reports
Not stripping metadata of images
Disclosing API keys without proven impact
Same-site scripting
Blind SSRF without proven impact (DNS pingback only is not sufficient)
Disclosed and/or misconfigured Google API key (including maps)
Host header injection without proven impact
Spam, social engineering and physical attacks
DoS/DDoS attacks or brute force attacks
Reports that state that software is out of date/vulnerable without a proof-of-concept
Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts