One2Treat Security
At One2Treat, we take security seriously. We do not have a formal reward program in place, but will consider any issues reported using the process below on a case by case basis.
We do not wish to be contacted regarding the below vulnerabilities, which are considered out-of-scope:
- Phishing attacks
- Self-XSS
- Physical attacks (burglary, bypassing physical access control, …)
- Verbose messages/files/directory listings with no proven impact
- CORS misconfiguration
- Disruptive or destructive attacks (D/DOS, …)
- Email spoofing, SPF, DMARC or DKIM
- Missing cookie flags except session related cookie flags
- Clickjacking
- Missing security headers
- Cross-site request forgery with no proven impact
- Autocomplete attributes on webforms
- API key disclosure without proven business impact
- Best practice violations (password complexity, expiration, re-use, etc.)
- Email bombing
- HTTP request smuggling with no proven impact
- Open gates without proven impact
- Banner grabbing/version disclosure
- Weak SSL configurations and SSL/TLS scan reports
- Disclosing API keys without proven impact
- Same-site scripting
- Arbitrary file upload with no proven impact
- Blind SSRF without proven business impact
- Cookie information disclosure without proven impact
- HTML injection with no proven impact
Report
Email security@one2treat.com with an PGP encrypted mail including information needed to reproduce the vulnerability and the location where you found the vulnerability (url, domain, webpage). Our security team will get in touch with you.
Please import this public key into your local OpenPGP Key-Manager via keys.openpgp.org: C62589F9ECC359B9
