Critical zero-day-gap in Log4j (CVE-2021-44228) compromises numerous servers and apps. We have checked our software and services for this - our products PAVE and DYVE are NOT affected. Our customers' data is safe!

Vulnerability Disclosure Policy

We kindly ask you to inform us about any vulnerabilities found in web applications and IT systems of PMG Projektraum Management GmbH. We will take immediate action to fix the vulnerability found as soon as possible.  We honor all those who take the time and effort to report vulnerabilities to us in accordance with this policy. We do not offer monetary rewards.

If you believe you have found a vulnerability, please submit your report to us sec@pmgnet.de

The report should provide the following information

  1. Title
  2. Vulnerability type
  3. Severity (Low/Medium/High/Critical)
  4. Affected asset* (Website, IP, Product, Service, etc.)
  5. Description of the vulnerability*
    • Vulnerability Summary
    • Supporting files (screenshot or video)
    • Solution Notes
  1. Steps to reproduce the vulnerability*S
    • Clear description of the steps necessary to reproduce the vulnerability
    • Proof of concept code, if available
  1. Effect
    • The impact of successful exploitation of the vulnerability
  1. Contact details**
    • We need a way to contact you if we have any questions
  1. Declaration of consent to mention the name/alias and the vulnerability found in the acknowledgments

*Mandatory information

Proceed as follows

  • Do not exploit vulnerabilities found, for example by downloading, modifying, deleting or uploading data or uploading code. Do not carry out any attacks (social engineering, DDoS, etc.) on Projektraum Management GmbH.

 

  • Don’t use automated scans to find vulnerabilities.

 

  • Do not pass on information about the vulnerability to third parties without the approval of PMG Projektraum Management GmbH. Do not violate the rights of users and employees of PMG Projektraum Management GmbH by passing on (privacy) data.

 

  • Remove any information obtained as soon as it is no longer needed for vulnerability testing – no later than 1 month after the vulnerability has been closed.

 

  • Provide us with enough information so that we can reproduce and analyze the problem. Provide a contact option for questions. Reports from automated tools without explanatory documentation are not covered by this policy.

Our Promise

  • We try to resolve the vulnerability as quickly as possible and inform you about the progress of the process.

 

  • We will inform you when the reported vulnerability has been closed and, if necessary, ask you to confirm that the solution is adequate. Once the vulnerability has been resolved, we welcome requests to disclose your report. We would like to support affected users in the best possible way and ask you to coordinate the publication with us.

 

  • If you wish, we will include your name (or alias) and the description of the vulnerability in the acknowledgments on our homepage to express our respect for your capabilities.

 

  • If you act in accordance with the requirements of the Vulnerability Disclosure Policy of PMG Projektraum Management GmbH and without recognizable criminal intent, the law enforcement authorities will not be informed in connection with your findings.

(Non-)Qualified vulnerabilities

Any design or implementation issue that is reproducible and compromises security can be reported. Common examples are remote code execution, unauthorized access to properties or accounts, improper error handling, actively exploitable backdoors, information leakage, misconfiguration, and much more.

The following vulnerabilities are outside the scope of this Vulnerability Discosure Policy:

  • Unexploitable vulnerabilities
    • Non-adherence to best practices.
    • Missing security headers that do not directly lead to an exploitable vulnerability.
    • The use of a library known to be vulnerable or publicly broken (without active evidence of exploitability).
  • Vulnerabilities that require direct physical access to the device or network by a user.
  • Use of vulnerable and “weak” cipher suites.
  • (Distributed) Denial of Service, Spams, Mass Registration.
  • Social engineering in any form.

Acknowledgments

Name/AliasURLVulnerability
Kunal Mhaskehttps://www.linkedin.com/in/kunal-mhaske-59928a170Missing DMARC record
Kunal Mhaskehttps://www.linkedin.com/in/kunal-mhaske-59928a170Clickjacking
Gaurang Mahetahttps://www.linkedin.com/in/gaurang883Exposure of WP Debug log
Parth Narulahttps://www.linkedin.com/in/parth-narula-86283821aClickjacking in Login form
Parth Narulahttps://www.linkedin.com/in/parth-narula-86283821aInsufficient input control
Shivam Dhingrahttps://www.linkedin.com/in/shivam-dhingra/Missing DNSSEC record
Suprit S Pandurangihttps://www.linkedin.com/in/suprit-pandurangi/Enabled XMLRPC leading to SSRF