ABStronics Vulnerability Disclosure Program: At ABStronics, we take the security of our systems seriously and appreciate the community's efforts to identify and report vulnerabilities. Our Vulnerability Disclosure Program is designed to encourage responsible reporting of security issues, ensuring they are addressed promptly and effectively. We value the contributions of the security community and are committed to working with you to protect our users and systems. Reporting a Vulnerability: If you have identified a potential security vulnerability in our website or systems, please submit your findings via email to info@abstronics.com with the subject line "Vulnerability Report". Your report should include: - A detailed description of the vulnerability. - Steps to reproduce the issue. - Any supporting evidence, such as screenshots or logs. - Your contact information for follow-up (optional). Scope: The scope of our vulnerability disclosure program includes the following domain: - abstronics.com Out-of-Scope Items: To help focus your efforts on critical issues, the following items are considered out of scope for our vulnerability disclosure program: 1. Denial of Service (DoS) Attacks - High-volume, automated traffic generation causing service outages. - Simple DoS attacks that rely on brute force or flooding. 2. Spamming - Email or form spam without clear security impact. - Non-targeted phishing. 3. Content Spoofing - Non-persistent issues where the attack does not reflect actual user data. - URL redirection or manipulation without significant risk. 4. Social Engineering - Issues relying on human factors like phishing, pretexting, or baiting. - Physical security exploits. 5. Rate Limiting - Lack of rate limiting on non-sensitive endpoints. - Automated brute-force attacks on non-critical pages. 6. Disclosure of Non-Sensitive Information - Banner grabbing or version disclosure (e.g., server software versions). - Publicly available information or metadata. 7. Best Practices Violations - Missing security headers without an exploitable impact. - Deprecated protocols or cipher suites without immediate risk. 8. Open Redirects - Simple open redirects unless they can lead to a more severe attack. 9. Missing SPF/DKIM/DMARC - Email configuration issues that do not result in a direct exploit. 10. Clickjacking - Clickjacking on pages with no sensitive actions or data. 11. CSRF on Non-Sensitive Actions - Cross-Site Request Forgery on forms or actions without significant security impact. 12. Self-XSS - Self-exploitable XSS where the user has to perform an action to trigger it. 13. Logout CSRF - Forcing a user to log out without further impact. 14. Verbose Error Messages - Detailed error messages without sensitive information leakage. 15. Missing Secure Attributes - Missing security flags on cookies that do not expose sensitive data. 16. Low-Impact Vulnerabilities - Low severity issues like descriptive or minor UI bugs. 17. Third-Party Services - Issues in third-party services or products that are outside the scope of your infrastructure. 18. Non-Executable File Inclusions - Issues where non-executable files (like images) are included. 19. Missing HTTP Security Headers - Issues related to missing security headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, etc., unless exploitable. 20. Arbitrary HTTP Methods Allowed - Allowing non-standard HTTP methods like TRACE, OPTIONS, etc., unless they lead to a specific vulnerability. Responsible Disclosure We request that you: - Do not publicly disclose any details of the vulnerability until we have had a reasonable time to address it. - Avoid privacy violations, destruction of data, and interruption or degradation of our services during your research. - Act in good faith and adhere to the law when disclosing vulnerabilities. We appreciate your efforts to help us maintain a secure environment and will acknowledge your contribution upon successful validation of the reported vulnerability. Thank you for your cooperation and for helping us improve our security posture. Hall of Fame: