Responsible Disclosure
Introduction
ADMIRAL attaches great importance to the security of its products and services. However, despite all efforts, vulnerabilities can never be completely eliminated. If vulnerabilities are identified and exploited, this jeopardises the confidentiality, integrity or availability of ADMIRAL’s systems and the information processed therein.
For responsible disclosure of vulnerabilities, this policy describes which systems and types of tests are acceptable and how to report vulnerabilities. We encourage you to contact us to report potential security issues in our systems by following this policy.
This policy is intended to assist both security researchers and organisations in disclosing security vulnerabilities. This is an area where co-operation is extremely important to ADMIRAL, but can often lead to conflict between the two parties.
Scope of application
The scope of this guideline refers to low-ranking domains and vulnerabilities. The list of domains and vulnerabilities may change in the future and is exhaustive.
Domains
The following domains fall within the scope of this policy:
- *.admiral-entertainment.at
- *.admiral.ag
- *.admiral.at
- *.admiral-technologies.at
Vulnerabilities
The following vulnerabilities and information technology security gaps, for example, fall within the scope of this guideline:
- Remote Code Execution
- SQL injection vulnerabilities
- Authentication or authorization flaws
- Server-side code execution bugs
- Encryption vulnerabilities
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE) – Injection Flaws
- Information Leakage and Improper Error Handling
- Unauthorised access to properties or accounts
- Data/information leaks
- Possibility of exfiltration of data / information
- Actively exploitable backdoors
- Possibility of unauthorised system use
- Misconfigurations
- etc.
Not in the scope of application
The following vulnerabilities and information technology security gaps do not fall within the scope of this policy:
- All systems not listed in the ‘Scope of application’ section
- Disclose information about security vulnerabilities, except as described in the ‘Reporting a Security Vulnerability’ section
- Physical attacks against data centres or Group property
- Social engineering attacks targeting ADMIRAL employees, customers, facilities or contractors (for example: falsifying login pages, customer service, social media)
- Distribution of spam
- Denial of Service attacks (DoS/DDoSDistributed Denial of Service)
- Missing HTTP security headers without specific effects or which do not lead directly to an exploitable vulnerability
- Errors that can only be exploited by clickjacking
- Self-XSS
- Vulnerabilities that require unlikely user interaction (for example: disabling browser protection measures)
- Disclosure of information that is marked as public
- Attacks that require a man-in-the-middle
- Faulty social media links
- Use of a library known to be vulnerable or publicly known to be broken, without active proof of exploitability
- Submissions of best practices (e.g. certificate pinning, security header).
- Reports of (potential) fraud or compliance issues (to report a compliance issue, please use the NOVOTRUST whistleblower portal | ADMIRAL Austria
- etc.
Guidelines
Do
When carrying out your activities, it is imperative that you
- comply with the scope of this Policy and the relevant (data protection) legislation; and
- not disclose to the public or other parties any data that you have downloaded during discovery; and
- not disclose the vulnerability or issue to the public or other parties until it is fixed; and
- stop your testing if you discover sensitive information (personal data, medical, financial, proprietary information or trade secrets), notify us immediately, do not disclose the data obtained to third parties and securely delete any sensitive data inadvertently obtained after notifying us.
Do not
When carrying out your activities, it is imperative that you refrain from the following actions:
- Carry out any activity that may cause damage to the domains and systems concerned or impair their integrity, availability or confidentiality.
In particular, the following is prohibited:
- Placing malware (viruses, worms, Trojan horses, etc.) on a system; and
- compromising systems through exploits in order to gain full or partial control; and
- Copying, modifying or deleting data on the system; and
- Making changes to the system; and
- Creating repeated access to the system; and
- sharing obtained access to the System with other parties; and
- Using obtained access to the system to access other systems; and
- Modifying the access rights of other users; and
- Exploiting vulnerabilities or issues you discover, for example, by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data; and
- Using automated scanning tools; and
- Performing so-called ‘brute force’ attacks to gain access to arbitrary systems; and
- Performing denial-of-service attacks or social engineering (phishing, vishing, spam, etc.); and
- Carrying out attacks on physical security
Reporting a security vulnerability
Please describe the discovered vulnerability or security gap in detail and, if possible, with supporting documents so that our information risk experts can analyse the findings.
Information on the security vulnerability
Where possible, please include the following information in your report:
- The nature of the vulnerability or issue; and
- Affected service, product, IT system, device or URL; and
- Specific configuration or requirements to reproduce the issue; and
- Information required to reproduce the issue; and
- Impact of the vulnerability and an explanation of how an attacker could find and exploit it
Anonymous reporting of a security vulnerability
When using the NOVOTRUST whistleblower portal | ADMIRAL Austria, anonymous reports, e.g. on data protection, Code of Conduct or similar, can be submitted. The protection of anonymity applies to the extent permitted by law.
Non-anonymous reporting of a security vulnerability
Non-anonymous reports must be submitted by e-mail to disclosure@admiral.at.
After the notification
Our information risk analysts will assess the find and respond as quickly as possible. Each case will be analysed individually. We ask that you give us the appropriate opportunity and time to conduct this analysis, keep the information confidential and not disclose the vulnerability to the public or other parties without consulting with our analysts, ADMIRAL will keep you informed of the progress of the investigation to the extent possible and appropriate.
After the initial analysis of the report, we may request further information, evidence and supporting documents in relation to your findings. If the report is sensitive and/or contains personal data, we may instruct you to exchange information using encryption keys to ensure the confidentiality and security of communications and provide you with further instructions on how to dispose of personal data securely.
For anonymous reports via the NOVOTRUST whistleblower portal, the responsible whistleblower officer will be notified and will process and/or forward the case in accordance with the current guidelines. Depending on the level of concern and criticality, ADMIRAL undertakes to inform all relevant interest groups of the imminent risks in a timely manner. An imminent threat exists in particular if a vulnerability with a CVSS score of 7.0 or higher is identified.
Version 2.00, status as at 15 October 2024