Responsible disclosure policy

Version 1.2, 2023-12-16

At Thalia, we take security of our infrastructure and digital systems seriously. We develop, build and deploy all systems with security in mind. However, we can never be 100% secure and vulnerabilities will, unfortunately, present themselves. If you find a (potential) vulnerability or security issue, we would appreciate it if you inform us as soon as possible. Please note that we do not pay out money for found vulnerabilities.

How to notify us

We ask you to

  • only exploit vulnerabilities to confirm their presence.
  • give detailed reports of your findings to help us identify the underlying problem.
  • not share your report with anybody else until the problem has been fixed.
  • involve us if you want to publish your report once it has been fixed.
  • respect the privacy of our members.

We promise you to

  • take your reports seriously.
  • respond to your reports as soon as possible.
  • solve the issue as soon as possible.
  • respect your privacy and treat your reports confidentially.
  • keep you up to date and work with you to solve the underlying problem.
  • credit you in any internal and external announcements (with your permission).
  • not take any legal action if you followed the above guidelines.

What is the scope

  • You may try to exploit: https://thalia.nu/*
  • Any resource that is not listed here is also prohibited.

If you happen to find something on an unlisted resource, please let us know.

Which attacks are disallowed

Because we are a small organisation we ask you to not use the following attack methods:

  • social engineering
  • physical attacks
  • (distributed) denial of service
  • spam attacks
  • automated scanners

Exceptions

The following reports will not be taken into consideration:

  • the policy of SPF / DKIM / DMARC
  • the policy of CSP

Thank you for your concern, but we are already aware of these issues.


Hall of fame

On this list, we thank the people that followed our responsible disclosure policy!

  • Ward Theunisse for a very good report about a format string vulnerability.
  • Raju Basak for informing us about a rate limiting problem on our password-reset form.
  • Rhythm for informing us about rate limiting and input validation that could be improved on the member registration form.