Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Update SECURITY.md

Browse Source
This commit is contained in:
Laurent Destailleur
2025-03-01 02:24:55 +01:00
committed by GitHub
parent abb4b23dfc
commit 8bec32aff2
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
SECURITY.md
View File

@@ -109,8 +109,7 @@ Scope is the web application (backoffice) and the APIs.
* Software or libraries versions, private IP disclosure, Stack traces or path disclosure when logged-in user is admin.
* Vulnerabilities affecting outdated browsers or platforms, or vulnerabilities inside browsers themself.
* Brute force attacks on login page, password forgotten page or any public pages (/public/*) are not qualified if the recommended fail2ban rules were not installed.
* SSL/TLS best practices
* SSL/TLS practices (cypher enabled or not)
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
* Physical or social engineering attempts or issues that require physical access to a victims computer/device
* Vulnerabilities of type XSS exploited by using javascript into a website page (with permission to edit website pages) or by using php code into a website page
using the permission to edit php code are not qualified, except if this allow to get higher privileges (being able to set javascript or php code is the expected behaviour).
* Vulnerabilities of type XSS exploited by using javascript into a website page of the website module or by using php code into a website page (being able to set javascript or php code is the expected behaviour in the website module), except if the user does not have the permission to edit page or php code.