![]() ![]() Information submitted to USPS under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.Public disclosure of vulnerabilities will only be authorized at the express written consent of USPS. However, use of the USPS’s name or brand will only be authorized with express written permission. We will seek to allow researchers to be publicly recognized whenever possible. We want researchers to be recognized publicly for their contributions, if that is the researcher’s desire.To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.USPS’s security team will investigate the report and may contact you for further information. Within 2 business days, HackerOne will acknowledge receipt of your report.USPS remains committed to coordinating with the researcher as openly and quickly as possible. We take our responsibility to protect our network seriously and will give your feedback due thought and consideration. USPS provides critical communication and commerce infrastructure for the U.S. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities. We take every disclosure seriously and very much appreciate the efforts of security researchers. Access of any third-party systems including those linked to USPS systems.Issues that require unlikely user interaction.Open redirect - unless an additional security impact can be demonstrated.stack traces, application or server errors) Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g.Vulnerabilities only affecting users of outdated or unpatched browsers.Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).Missing HttpOnly or Secure flags on cookies.Missing best practices in Content Security Policy.Rate limiting or brute-force issues on non-authentication endpoints.Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.Any activity that could lead to the disruption of our service (DoS).Missing best practices in SSL/TLS configuration.Comma Separated Values (CSV) injection without demonstrating a vulnerability.Previously known vulnerable libraries without a working Proof of Concept.Attacks requiring MITM or physical access to a user’s device.Clickjacking on pages with no sensitive actions.Types of activities that are not allowed are: You submit any known or recommended remediations or mitigations with your report.If at any point you are uncertain whether to continue testing, please engage with our team. ![]() ![]()
0 Comments
Leave a Reply. |