At 永利皇宫app下载注册, the safety is our top priorities. Our specialists work continuously to optimise our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present. Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting them to us, so that we can improve the safety and reliability of our systems together and those or our members. To encourage reporting vulnerabilities to 永利皇宫app下载注册, we would urge you to send any vulnerability you detect to us. Any researcher who provides a high quality report which will be important for the continuity and reliability of the transport industry .
描述
Responsible Disclosure indicates 永利皇宫app下载注册’s continued commitment to improve its security posture. 作为这个过程的一部分, we work closely with security researchers to identify and report vulnerabilities they find within our systems.
出版
You are always allowed to publish about your findings but always discuss it upfront with 永利皇宫app下载注册. We want to make sure that issues are fixed before publication. 永利皇宫app下载注册 appreciates security researchers efforts in reporting vulnerabilities on its systems as long as the discovered vulnerability is in scope, detected without the use of intrusive testing techniques, and follows the disclosure guidelines below:
赏金
Depending on the severity of the finding we will be willing to offer a bounty as we are a Non-profit organization this will be limited.
交战规则
Reports are required to be written in English. Please include a clear attack scenario outlining detailed reproduction steps. Make sure that during your investigation you do not cause any damage or disruptions to our systems so do not alter, change or delete data from our systems. Do not put a backdoor in the system, not even for the purpose of showing the vulnerability as inserting a backdoor will cause even more damage to the safety of our systems and do not penetrate the system any further than required for the purpose of your investigation. Make sure that during your research you do not inadvertently cause a data breach (i.e. sharing screenshots or recordings on 3rd party cloud solution). Law regulations for Responsible Disclosure may differ by country. We strongly advise you to take these regulations into account. Your investigation on our systems could be regarded as a criminal act under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of 永利皇宫app下载注册’s systems, please be aware that local law takes precedence over 永利皇宫app下载注册 rules. 不过, if you act in good faith and according to 永利皇宫app下载注册’s rules, we will not report your actions to the authorities, 除非法律要求这样做.
一般
In case that a reported vulnerability was already known to the company from their own tests or other reporting, 它将被标记为副本
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
Do not utilise social engineering in order to gain access to our systems.
检测到的漏洞 永利皇宫app下载注册 employees or providers are excluded
不属于本保单范围的是:
域
不属于永利皇宫app下载注册的域名
应用程序
Pre-Auth Account takeover/OAuth squatting
Self-XSS that can't be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
缺少cookie标志
缺少安全标头
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
反向美味小吃
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking on pages with no sensitive actions
CSV注入
Sessions not being invalidated (logout, enabling 2FA, etc.)
混合内容类型问题
跨域引用泄漏
Anything related to email spoofing, SPF, DMARC or DKIM
错误页面上的内容注入
用户名/电子邮件枚举
电子邮件轰炸
HTTP Request smuggling without any proven impact
单应性/受害
XMLRPC启用
Banner grabbing/Version disclosure
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Weak SSL configurations and SSL/TLS scan reports
不剥离图像的元数据
Disclosing API keys without proven impact
同一站点的脚本
Blind SSRF without proven impact (DNS pingback only is not sufficient)
Disclosed and/or misconfigured Google API key (including maps)
Host header injection without proven impact
Spam, social engineering and physical attacks
DoS/DDoS attacks or brute force attacks
Reports that state that software is out of date/vulnerable without a proof-of-concept
Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts