_____ _____ | __ \ / ____| | |__) | (___ _ __ __ _ ___ ___ | _ / \___ \| '_ \ / _` |/ __/ _ \ | | \ \ ____) | |_) | (_| | (_| __/ |_| \_\_____/| .__/ \__,_|\___\___| | | |_| # How to report a security vulnerability Email security@researchspace.com and encrypt your email using our public openPGP key. We will not accept report emails if they are not encrypted. PGP key and other information such as the scope is below. Use only openPGP and NOT any propriety email encryption systems. You MUST attach your own openPGP public key in your email report, without one we will NOT be able to reply to you. # How to report a bug in RSpace If your report is only for a bug and not for a security issue, please email support@researchspace.com # Scope for security vulnerability program We want to hear from you if you discover a vulnerability on any of the following domains/subdomains: - Your own self hosted version of RSpace If you have any questions around something being production safe or not, reach out to security@researchspace.com with any questions: - If you discover any credentials during recon and testing, DO NOT use them for additional testing - DO NOT pursue post-exploitation or pivot from the vulnerable target into other parts of the network - We will NOT accept Vulnerabilities dependent upon social engineering techniques - Vulnerabilities contingent upon outdated or unpatched browsers, OSes or other client side software will NOT be accepted - Recursive DNS enumeration should be minimised - NO Self-XSS (User defined payload) - Any scanning or brute force attempts on Forms is considered Out-Of-Scope and should not be attempted - Scanners MUST be limited to a maximum of 2 requests/second. - MUST NOT result in DOS OR DDOS attacks - Credential Stuffing/Password Spraying attacks is prohibited Vulnerabilities regarding DNS records, SPF records and DMARC records and generic vulnerability scans are NOT in scope. # OPENPGP PUBLIC KEY IS BELOW -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGS6UmQBEACaxhpcjGTfiPqhtSMY0Kb8GWHslNncJ5Zr9cDzp3htXK5RixpL +3A1HnYkdFcDT87hsmfyLNPqR0ZJpEK81e4U2BcQNOq/hRcn4WW26KM45YkTlA1i l9nUW37x8qq8fCZj7CI3mai+xE+RZTPUN/h4+G/0D6VLD7os2fbZ7WVWW2CKqevx +i7eOw/Tbz/q9hOe+2T5q7k68VsqRo6QNnSxYe8JiTU5RzK1ytiUm+jeC1ZyA6kz S2yXUpoqeHLUkyGhf0ThFizGQMC1z0eObbSjqHxTuOcoax925Ka9ybedl42c8OCk FuRGo8dKJO8MXcv9n5qFN1GvDuoqnTlSL5pLXcK2mkxdFCV/IxcewtvApTanEhBZ Yhjtjf5d5Qj3KE/6PlwJ3Spcjpzon7xMKHOrklw1kH7Fvyu+Z2rruqc0op3ObEdt Y4muZuumsC/fHIdv4+0kFTHC0Mbzgczah33HcZlUp8ob03v/4k4pMN4eV6ln44lH knFppam8RJKSg0i/EizjUSHy8dJrKrQU8ils7iaHkLda2tK+Gss5sxoOQnZoC+SN KnvczJ9kQ1UZl7L8dgn1eE8qSzKPj2tjayQQ2ez+dUHyA7pQ/zD3nSOUXUeCqGCR POuIVwy9rIvj9dJyTcaR7UuWFlTHxcufdi13tAWG/9uVkfA2/mnWSIyPjwARAQAB zTFSU3BhY2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAcmVzZWFyY2hzcGFjZS5j b20+wsGHBBMBCAAxFiEESqRTs7aiIz61sg2cRMmyViYWk3QFAmS6UmUCGwMECwkI BwUVCAkKCwUWAgMBAAAKCRBEybJWJhaTdFRvD/405pNoer2YFdvDrVYp9pve7wCe bPdu35PcrXRwpoQ8kHnX57UF+tujFZAJcUejhnF76iPZVrktad838vY2YEj3xbmr HpOkN36Az/kmPEcKNPlqLpZ49cH+XIr+D6qmldf6PhvWfdKyLJ5RNHh98BtJI8dk Kiy2znwEkhJNTBOTGyVNDkAhByLd9da8wuqGYjvkisjaxny2KPytZBWtj2z0AFcp uX+gbc4Xffa8xnY9DtyVeTx1svwnEM6VtScp4MrckZL8uff+D0AQvGTTAuKTsVp+ wIGWnHGtqpbaIwGS0AlYKEyLrlbpa8krU4yuqZLAmYEdmK3rxZwNdHR07nIGiRPx L8uevGqNUvcm39GM3wsAsfohbyvWQUFkPo1RoZp4lPg3ShWLA0PhuGHgfmGAFMts V6bX6OO9gxaaTwsmmxWlrawpcODzKnFeGSAJ4XMGLfg9WBzuDlZBNFM3AOGrll9j MkXVmMkbySzNnygh2u0czYt9sxinzl8vqw5AX9+HuMpA/3XxkcrJsyBK6Vu5r90D QlZ4csrHjIqjKKKuoYrg3s+Um7U7LUBdRF+hX4Cs2dWF1XeDIRrkljLRhKVhKERi X+Szd/1dFNOCRSSsj9rezEleYJpCZvUpTlUEiPdvD5poGsY3SYbSMRqRDl/mEZf0 yCRQu6SDxu8FRoAhGs7BTQRkulJmARAAxo/gaB18aMq9NqJOBBqfW6guCAsYBNHi 4o9vG4js3pH7LBVloWCPl2gUT21CeEoAqdCt42QjQ2G05KD+SpKMMhONRm/TCui7 /K0iOqDBdwpFJHyUjxEQCaGUdXOiO7WhqkenrhNHyErr5LdN9lANuzy48KjswmjY bB/a92X7RNjbVDsz7qO+qOcI4Hwq6MEn/V72YGV6FGue74htxKFwamuVP8X2Pfpv ehN02nMKPYVy73cPbl0iXZB4v6OH6YlbpJ75SxjnLASm7tarZ16kkXbANswyrHO3 PQW/pE78NRUbGYwisJx338K3OtAGl1qpnq8j2dla+2Jvi1mcEMTOhxRxuiCDSdnW JapTdhrolEuTHtdEK84sQef5u1LRozKgj37l9/j7M85b0yBa+xAUHr0ONiUzajov +bktFsy1sDDiOQZ3+HX2N496B/f08AqAdzESSg84zT1hPUopUBPuY+5yzeLDeJfC UgKQdiArl2md/erudoOckLv3rwQMDxGV+WYtaBXGMTfH4Ejlt3zTZ12/LcOWIUuU k0Xt81PQTRvC0Ge+go3qlNxyjLJN2/dkvr+sJEf0pyFmqgCve7z9/QdFmIfW1vwd Ov91cEvOvVlfFjc5kT3QI9DIkTkTnZEO6MfHsShLFm9CFJOIgz/TGlfeMenPkHE9 3mSZq/P9vMkAEQEAAcLBdgQYAQgAIBYhBEqkU7O2oiM+tbINnETJslYmFpN0BQJk ulJnAhsMAAoJEETJslYmFpN0Q08P/363wnySR5RANV93rhQnriJo3CivUroTw96s 3zRBgO9sunp47cFH9/RrlJNWifsMh0CCXe5EEcvN8lp4jiyQOFeMo9vmLtN6qC69 OnoOtStKX4G7pgugmNu376gTr59P4zCMwC3Th17zS4h1/P2mDa7CRFQBFtlVk/01 J4QjoD2eDj0cealwp6fykipl2ScDmkuDNwWOceFWHJtXzqD96z2y2y4ryBVMg0fn YvYKAlU9CMLxYdpnwfvBWHOvTxpzPuFSAmM57I1ffc/DiezEk7KqU9mzVh00Se7R LqrZ+hBD0JxahzgeZhUekMNezjc/5yap+ddyKxXIVMCK0AHcaYJs28onw+9Oo9kr Ygr5ZG+WEOYHy2ZEptNAV+WMcna6jmczCqK2dRBKg6Knu2Jsx2bShE/fvloaTGs6 s1lAqMlH8/JZiQOpqCVN5nl7++uf/QQA5YmFG0Vc5KdmO9RRh9ovjgN94Nsdos/Y DL/nlbkgZJqSnogwl3ohkkV3nltcX4z2Z+vgbXX+TUZvrqKeGgd2AH5R6FUtjqU+ kycmGXO0rWdYKXeV9d2+yJLE2586St01CA5RJR4yEVgnqDxZwVdPG+0dLtvcK/IT jb3jvojr5uiVd1etjum67iV90tOVwftUtOAQaeXO7wMwrF18yA1cI1JfoULFQwY7 ASwhODLT =NCHP -----END PGP PUBLIC KEY BLOCK-----