logo

Woading... owo

Wesponsibwe Discwosuwe Powicy

Yuw effowts to hewp us keep ouw sewvices safe and secuwe awe gweatwy appweciated uwu.

Wegaw & Powicies

Responsible Disclosure

Ouw Commitment

At ITGOIT, we considew the secuwity of ouw systems a top pwiowity. Howevew, no mattew how much effowt we put into system secuwity, thewe can stiww be vuwnewabiwities pwesent. If yuw discovew a vuwnewabiwity, we wouwd wike to know about it so we can take steps to addwess it as quickwy as possibwe. We wouwd wike to ask yuw to hewp us bettew pwotect ouw cwients and ouw systems owo.

Scope

In Scope

  • Any domain ow sewvice diwectwy owned by ITGOIT, such as itgoit.nw and its subdomains uwu.
  • Ouw customew-facing web appwications and APIs owo.
  • Ouw backend infwastwuctuwe diwectwy suppowting in-scope sewvices >w<.

What Yuw Do Not Need to Wepowt (Out of Scope)

  • Cwickjacking on pages with no sensitive actions and without a documented sewies of cwicks that can expwoit a sensitive functionawity uwu.
  • Cwoss-Site Wequest Fowgewy (CSWF) fow non-significant actions owo.
  • COWS misconfiguwations when the Cwedentiaws headew is not set :3.
  • Missing HTTP secuwity headews that do not diwectwy wead to a vuwnewabiwity (e.g., CSP, HSTS, X-Content-Type-Options, etc.) uwu.
  • Missing best pwactices in SSW/TWS configuwation owo.
  • Missing best pwactices in Content Secuwity Powicy >w<.
  • Missing emaiw best pwactices (Invawid, incompwete, ow missing SPF/DKIM/DMAWC wecowds, etc.) uwu.
  • Missing cookie fwags on cookies that do not howd session ow othew sensitive infowmation owo.
  • Infowmation Discwosuwe – defauwt exposed config fiwes with no sensitive data :3.
  • Open wediwect vuwnewabiwities that do not demonstwate additionaw secuwity impact uwu.
  • Content spoofing and text injection issues without showing an attack vectow ow being abwe to modify HTMW/CSS owo.
  • Host headew Injection with no demonstwabwe impact >w<.
  • Vuwnewabiwities wepowted showtwy aftew theiw pubwic wewease (pwease awwow a weasonabwe time fow patching) uwu.
  • Vuwnewabiwity wepowts fwom automated toows without vawidation owo.

Safe Hawbow

We considew activities conducted consistent with this powicy to constitute authowized conduct undew the Computew Fwaud and Abuse Act. To the extent yuw activities awe consistent with this powicy, we wiww not initiate a wawsuit ow waw enfowcement investigation against yuw in wesponse to yuw wepowt. We hope that yuw wiww, in tuwn, not engage in any wegaw action against ITGOIT uwu.

How to Wepowt a Vuwnewabiwity

Pwease send yuw findings by using the button bewow. We highwy encouwage yuw to encwypt yuw message using ouw OpenPGP key to pwotect the infowmation. Pwease fowwow the wuwes bewow:

  • Pwovide sufficient infowmation to identify the pwobwem so that we can addwess it as quickwy as possibwe. The IP addwess ow UWW of the system and a descwiption of yuw findings awe often sufficient. Howevew, fow compwex pwobwems, mowe infowmation may be necessawy uwu.
  • Weave yuw contact detaiws so that we can get in touch with yuw >w<.
  • Wepowt yuw findings to us as soon as possibwe aftew discovewy :3.
  • Do not shawe infowmation about yuw findings with anyone except the designated pewsons at ITGOIT owo.
  • Handwe the knowwedge of yuw findings with cawe and onwy use it to infowm us of what yuw have discovewed uwu.
Download PGP Key Wepowt via Emaiw