logo

Fetchin’ the loot fer ye...

Responsible Disclosure Articles

Yer efforts to help us keep our ship watertight and secure be greatly appreciated, matey.

Our Pledge

At ITGOIT, we consider the security o' our systems a top priority. But no matter how sturdy the hull, a leak can always appear. If ye spot a weakness, we want to know, so we can patch it up afore we take on water. We ask ye to lend a hand in protectin' our crew and our fleet.

How to Report a Breach in the Hull

Send yer findings by usin' the button below. We highly encourage ye to seal yer message in code usin' our OpenPGP cipher to protect the intelligence. Follow the Captain's orders:

  • Provide enough intelligence to chart the problem, so we can address it with haste. The IP address or URL of the vessel and a description of yer findings are often enough. However, for more treacherous waters, more detail may be required.
  • Leave yer mark (contact details), so we can send word back.
  • Report yer findings as soon as ye've discovered the weakness.
  • Keep a silent tongue about yer findings to all but the designated officers of ITGOIT.
  • Use the knowledge of yer findings with care, only to inform us of the discovered weakness, savvy?
Report via the Spyglass (Email)

The Ship's Boundaries

In the Ship's Charter

  • Any domain or service flyin’ ITGOIT’s colors, like itgoit.nl and her subdomains, arr!
  • Our web apps and APIs facin’ the crew o’ customers, ready fer testin’ yer cannons!
  • The backend riggin’ that keeps our in-scope services sailin’ true, matey.

What Ye Need Not Report (Squabbles Below Deck)

  • Clickjacking on pages with no treasure at stake.
  • Cross-Site Request Forgery (CSRF) for trivial tasks like swabbing the deck.
  • CORS misconfigurations where no credentials be passed.
  • Missing HTTP security headers that don't directly lead to a breach (e.g., CSP, HSTS, X-Content-Type-Options, etc.).
  • Minor failings in the rigging of SSL/TLS.
  • Minor failings in the Content Security Policy chart.
  • Minor failings in the ship's mail protocol (SPF/DKIM/DMARC records, etc.).
  • Missing flags on biscuits (cookies) that don't hold the captain's log or other treasures.
  • Information leaks from charts left in the open with no secrets on 'em.
  • Open redirects that don't lead a galleon into treacherous waters.
  • Content spoofin' and text carvin' without showin' a clear path to mutiny or modifyin' the ship's articles.
  • Host header tomfoolery with no demonstrable impact.
  • Reports o' newly discovered sea monsters just after they've been charted (give us time to ready the cannons).
  • Reports from automated spyglasses (scanners) without a human's validation.

Safe Harbor

We consider activities conducted under these articles to be authorized conduct. As long as ye act in good faith, we'll not press-gang ye or send the Royal Navy after ye for yer report. We expect ye'll show us the same courtesy and not bring legal action against ITGOIT.