What is the VDP?
The Vulnerability Disclosure Policy of Yoummday GmbH (VDPyoummday) is a legally harmonised process for the responsible disclosure of vulnerabilities found at Yoummday GmbH by IT security researchers or developers. There is no monetary reward.
I reported a vulnerability yesterday, why hasn't it been closed yet?
We endeavour to close the reported vulnerabilities as quickly as possible. Once a vulnerability report has been received, it is included in our regular process. It may be the case that further vulnerabilities are waiting in a queue for processing. The report is first checked for plausibility. We may also have to contact the provider in question to clarify the issue and plan and implement mitigation measures.
What is the difference between a danger/threat, a risk, a vulnerability, damage and a hazard at Yoummday GmbH?
Hazards/threats have the fundamental potential to cause damage.
Damage is defined as a disadvantage caused by the reduction or loss of tangible or intangible assets.
The risk is determined by the probability of occurrence and the amount of loss and cannot usually be fully objectively assessed.
Vulnerabilities in terms of information technology are errors within the hardware and software used. They can be caused by inadequate programming, configuration and operation of IT systems, among other things, and can lead to a hazard.
Hazard describes the state when a real danger can affect a specific asset and damage is likely to occur.
Hazards in themselves are not considered qualified vulnerabilities. Vulnerabilities whose exploitation leads to a risk to Yoummday GmbH and where damage is likely to occur are referred to as qualified vulnerabilities.
Can I discuss the vulnerability with other people?
Responsible handling of a vulnerability means that you only report it or share it with others once the vulnerability has been closed. We will of course inform you about this.
How long does it take you to rectify weak points?
It is customary to finalise the vulnerability report no later than 90 days after receipt. However, depending on the complexity of a vulnerability, it can also take considerably longer.
What is your scope?
The VDPyoummday covers all Yoummday GmbH websites and IT systems accessible via the Internet.
May scanners also be used (e.g. Burp, Nessus, etc.)? Are active scans permitted?
In principle, you can use vulnerability scanners for your work. The intensity and invasiveness of the active vulnerability scans must not impair availability. Invasive active mass scanning is therefore not permitted. In addition, submitted reports from automated tools without explanatory documentation formally count as non-qualified vulnerability reports and are not recognised.
What is a qualified vulnerability?
A qualified vulnerability and the associated recognition are characterised in particular by the fact that this vulnerability poses a threat or risk to the IT infrastructure, persons or assets of Yoummday GmbH. An assessment of the criticality and exploitability of the reported vulnerability is the responsibility of Yoummday GmbH.
VDPyoummday - Our thanks to you