Responsible Disclosure
Optimizing safety when it comes to the ICT systems is a top priority for Maximum. However, as such systems remain vulnerable, possible loopholes and weaknesses cannot be eliminated.
Hence, we would love to hear from you if you have found a weakness in one of our ICT systems. We will handle the safety issues accordingly, and therefore we make use of the following policy:
What we ask of you:
- To email your findings to sysop@maximum.com. If possible, encrypt the email with the PGP-key of sysop@maximum.com. This will prevent the wrong people benefitting from the information.
- To provide enough information to reproduce the safety issue, ensuring that Maximum can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description could be necessary.
- To provide your contact details, either an email address or a phone number, so Maximum can contact you.
- To not share the information regarding the safety issue until it has been solved.
- To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue.
Please do report:
- Persistent Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication
- Circumvention of our framework's privacy and permission models
- Remote Code Execution
Please do not report:
- Username dictionairy attack
- Self-XSS
- Missing / loosely configured DNS SPF records
- Social hacking
- Publicly accessible login pages for cms/admin area
- Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
- Denial of Service Vulnerabilities
- Missing HSTS header / Secure cookie flag (https on this site is not enabled in every part of the world)
- Missing DNSSEC (we're working it)
- Password reset email capture
- Attacks requiring DNS takeover
- Webmail accessible over non-secure connection
- Missing CSP headers (we're working on it)
- Missing Public Key Pinning headers
- Mail relay server configuration issues
Whatever you do, please avoid the following actions:
- Spreading or distributing malware.
- Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
- Changing the system.
- Repeatedly acquiring access to the system or sharing the access with others.
- Making use of “bruteforcing” the access to the system.
- Making use of a denial-of-service or social engineering.
What you can expect:
- When a shortcoming in maximum.com is reported accordingly to the above stated terms and conditions, Maximum will not articulate any legal consequences to the notification.
- Maximum will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement.
- After consultation, Maximum can acknowledge you by publishing your name as the one who identified this particular safety issue.
- Within one working day, the system operator of maximum.com will send you a confirmation of receipt.
- Within three working days, the system operator of maximum.com will send you an evaluation of the safety issue. This will include an estimation of the time that it will take to solve the problem.
- The system operator of maximum.com will keep you updated on the progress of solving the safety issue.
- The system operator of maximum.com will try to resolve the safety issue as soon as possible, within a maximum time period of 60 days. After consultation with Maximum, it can be decided if and how the resolved safety issue will be published.
- To thank you, a reward will be offered by Maximum. This reward will vary depending on the seriousness of the issue and the quality of the report.
The public key for sending encrypted emails to sysop@maximum.com:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFMQW5wBEAC3od6qsp7rB8FZRgR7SEZE1IY5h/Tru67xFaGAJObSht/mPcJ/ fUVfYmKY/I7ogPvSi2tQE+oSnIEjEFVxWRFFAhIx54cljT9JUNE6AIQsPgNOiQtW PgyrrGz5gf1gJFbZ7hXNpF9J/r51UdLByV+RcsPEmCR5BOWw5vtpg4ntR/QBoQe3 TuaTVwg6s4yY53qBPlThEWN20tMPEd4OBlCXx1kZAsnKveKff/8RTDPnKZ8TWhLW XsAmHFHT7S6+vUElV2AgFU5YVsZ+qTj5z8sF1r2o2IS5jRQeXcQoBMw4/aMZIS+0 XP57oBAjVMue+MPA0kPg0R3QLhE34cZHXX+1BMmNQ5hJ2wIVQ6Xtj9uxTM/r6MPy +9D/v71DbS8+TenX+bpSHe4EpB0n99nPC75+OVm4uQD6Rahn1pCFeG/fb0wRzyKg XQKnTjOZtCOec4UTWf8Wt3PuYTGuPWRcje97u48bLpjmh+hG+ysSEqBvS/c25oH/ yzHHHi88XruPQ9Rk14hpy5BR6ZWLYGSnsM/yzYp2s7L8nNqFLCVjtlWTcfu0Skew WL8Kz0+6GOKUcCj7hMczPw//FrKvw7JXZGyjYfHNVMWgdFnyi0cJN5sqFmqIdQTD a1yISC/FmnNxYomOOySqCICENccquP0BChNbwMxEAFzAYPzfQj2X1C5M7QARAQAB tCtTeXN0ZW0gT3BlcmF0b3IgTWF4aW11bSA8c3lzb3BAbWF4aW11bS5jb20+iQI9 BBMBCgAnBQJTEFucAhsDBQkLSIaABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ EKlC1W3rpkyTTAUP/1uO/DXZrO9GbIPi8mVH+KVRE2+q5/sio6d6gPKM/cbgiSV4 5K75yQrqZMQFASsOoxahDOAaHm+dxHmagQNChnNuz3KFz5KZn2cTzkPAH2N3/iVb cCE30NmpVgd+ICLwqEqiuepUaZxVgzNJpfP2ZIJQTQTSlM5pPW3jAhRRqD4S2u0n tKA61GH4uMDnavZVTWvdrdGHfKKxeGOGh6vqY/JC0is/KBFXge7dPsUOOXJWV/XL Cewxe0GZhjxCZ8fu5CbWyCA13+75spFS3uxEqbT0I5AG+5FvJtxM0ytfmUBqfygM /NgqfJcGwrI4MdTpTIu9mgOX9ER4q4NXuJvb/aozgu4B6tcctp/mdYuWNsG6xNGn SpOORwuXf7RvJdBVlakr9cHCVvDnf4h6ZaMaP5Pa4rpF8F916s+0GZTQOcFvI004 T5aApykjDATflxVwNlvZsrz6RjbvD9pgW1LuP75OGruwPoN72IGwgkjwRjoEzYgg QMy8G6r2+Ei9rsYJbyMu10/sf6ix3U5duAh9gYXsRbTNgZ4olh8VgUT1F6KvPcZl XEqvY3gJhNB3I0IHwz1SuZ6eENwYZK9W6yboFOSNBv5JlJJt2i2uYwewX1FtWRwf jEbkf0//9AZLa3yaaF4LLGNzBOmHgXfJqayyrO571kVMpAgeZxA6/IBdU6P1uQIN BFMQW5wBEADKdEyJlbofjYA8NCr7MYkE4wUhIPtTDbaRoqjoKGMw8fbBV/+IOODz RPXRHEJ9N9gzGV5BZyalVDTcgrUkQEVBynnQTp6dIkDQ5ChQmchCGUD2orS/jSin 2sdQxkDzXGVcAXXgvGHdwCZFq+aigB389P+ac5Krk+CTDNkds2KMNOUyYu8tgqBQ PzJmwCYFP9l2/wz+n2KTWBVS1gQzrdtkt8zF9kLeNjblOmGDztu0y4O+XB8iIDY8 EyxhvzG1ipeqKXK2bB9FI+YviaaJLM95ZB1fFidi63qyizk7mv+aAG6Yt4hH4rq6 V7Xupvd5yP7hIlcaZR5ncFXGpMRjY4iGJOVbsQ9Q6Mn/yVTcs4yLaPbf8gtjdjbY NqmzKxDqw0GoTRxEAvnKhWDL5au+6v0h29oBVdk8NQTRf3gJ3K7Wk+uU6Zr6sVzO kb7tVTfP6Rs7LnF4n+kDYSb4wcbFkD4TdRYJxnxMQvF3brsEj7OvgyMVW2zW92U4 eHsB4og9Ah5aYuJH2xXyKFtemWivb8y1llQH8qpTY2OazKpWc1pZlFMdp8hWxE/j uvPiMGzO/tTzu+KS/iDYjmShCzg4bNAM2YDMN9QwIbNgnVp3gH9OzqfXRjgRD5H0 nsZeMKG4foBRa8dY3/0PswgBFnVGeylBUjm2Ge1TwSDgExAnhkR+5wARAQABiQIl BBgBCgAPBQJTEFucAhsMBQkLSIaAAAoJEKlC1W3rpkyTV6oQAJPRHGOITIIDvCQc Up6eNeOwqCXQGyFtoB94otf0mWg1Knmr7mujy11s/lE0n5yzNgB8Npyvt+SirAs/ MJgK5jAAgT3Xb/QfphIe6Axw7tdT0fDbJpRD8HDochJnesTbSDbXD0VRWowQhXTo FAfnJsBHiaOoAc4q6zg+uLekTGOesEu+1UGz8m8phGMHR533grpqHCtQlAQfTbr7 dcFYO9AJF6+w8QEv4UCL/FvsQZ1qquK5NVLGrZBNsM2KKHF81wi2JqIWGZc2UAs8 XnPdFnH6ampSLVE24KmjdrNKE/nKcwxmwkI0Dvndl7rxNfrC/0HoYHvrhqMaycTE VogOe9JKO1BJQa+vPQ7awV6xq/tYWDyldk8wwxEymtR7NBHMX2wh5RFV4LOd2BWe hpnEUNltq4bs14TOGu3MsthmWUkvHn09aSnhnqnpY+UPe/zW6PpgQZq57d3RPaK0 Bm+1pR9+zBgDQ/9S/JHEXe/OLLgod+YSryspmszbvM8T73f/dhKsQmQEsM1PcBx4 92PZGaEA/lTv6mLao/6ksejiBVLWi48NVB90qv+BgFr8kFVUOVkY6wBaeeLf/Ki4 WLT1qEAMTGSK1sFfNa5Sn9emIInpHE6GlMQ5jcjQ6snXgJjwEeAlY8ZGF1yRMHDb 1Z8ChKg6wsJZpgx9CIQMlmijMiRk =LiXY -----END PGP PUBLIC KEY BLOCK-----