Responsible disclosure

Coret Genealogy attaches great importance to the safety of its systems. Despite the concern for security, it can happen that there is a weak spot. If you have found a weak spot in one of our systems, Coret Genealogy would like to hear it, so that we can take measures as quickly as possible. Coret Genealogy likes to work with you to better protect our systems.

Index

• What does Coret Genealogy require from you?
• Which actions must be avoided?
• What can you expect from Coret Genealogy?
• What vulnerabilities have been reported?
• Questions about responsible disclosure?

What does Coret Genealogy require from you?

• Email your findings to responsibledisclosure@coret.org.
• Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
• Leave contact details so that Coret Genealogy can contact you to work together for a safe result. Leave at least one e-mail address or telephone number.
• Make the report as soon as possible after discovery of the vulnerability.
• Do not share the information about the security issue with others until it is resolved.
• Responsible for dealing with the knowledge of the security problem, by not performing any actions that go beyond what is necessary to demonstrate the security issue.

Which actions must be avoided?

• Placing malware.
• Copying, changing or deleting data in a system (an alternative is to make a directory listing of a system).
• Making changes to the system.
• Repeated access to the system or sharing access with others.
• Using the so-called "brute forcing" of access to systems.
• Use denial-of-service or social engineering.

What can you expect from Coret Genealogy?

• If you meet all of the above conditions when reporting a vulnerability that you have detected in a Coret Genealogy system, we will not attach any legal consequences to this report.
• We treat a report confidentially and do not share personal information with third parties without the consent of the notifier, unless this is required by law or pursuant to a court decision.
• We will send you a confirmation of receipt within 2 business days.
• We will respond to a notification within 5 business days with the assessment of the notification and an expected date for a solution.
• We will keep you informed of the progress in resolving the issue.
• Coret Genealogy solves the security problem that you have found in a system as quickly as possible, but no later than 30 days. It can be determined in mutual consultation whether and how the problem will be published after it has been resolved.
• In mutual consultation we can, if you wish, state your name as the discoverer of the reported vulnerability.

What vulnerabilities have been reported? - Hall of fame

Date	Name	Vulnerability type	Effected part
2017-03-01	Kenny Hietbrink	Cross-site scripting (XSS)	Open Archives searchresultspage
2017-03-02	Kenny Hietbrink	Cross-site scripting (XSS)	Cross-search API van Coret Genealogy
2017-03-02	Elyesa in der Maur	Cross-site scripting (XSS)	Genealogie Online helppages
2017-04-03	@secuninja	Cross-site scripting (XSS)	Open Archives homepage
2017-04-24	Huy Kha @HuyKha_10	Cross-site scripting (XSS)	Stamboom Gids searchresultpage
2017-04-25	Robert Wiggins	Cross-site scripting (XSS)	Stamboom Gids searchresultpage
2017-04-28	Damian Ebelties	Cross-site scripting (XSS)	Genealogie Online familynamespage
2017-04-28	Damian Ebelties	Cross-site scripting (XSS)	OAI tool
2017-04-28	Pethuraj	Cross-site scripting (XSS)	Stamboom Forum profilepage, searchpictures and familynamespage
2017-04-28	Pethuraj	Cross-site scripting (XSS)	Genealogy Online new publicationspage
2017-04-29	Raju Patil	Cross Site Request Forgery (CRSF)	Open Archive password change page
2017-04-29	Raju Patil	Cross-site scripting (XSS)	Open Archives searchresultspage
2017-04-29	Raju Patil	SQL Injectie	Cross-search API
2017-05-05	Sajibe Kanti	Content Spoofing	Coret Genealogy 404-page
2017-06-30	Damian Ebelties	Cross-site scripting (XSS)	OAI tool
2017-08-27	Raju Patil	Cross Site Scripting (XSS)	A2A validation service
2018-02-01	Ali Hassan Ghori	Cross-site scripting (XSS)	Coret Genealogy
2018-07-13	lacroute serge	Reflected XSS	Open Archives viewer
2018-11-03	Chirag Gupta	Readable REST API	Wordpress blog
2018-11-09	lacroute serge	Cross-site scripting (XSS)	Stamboom Forum recent subjects page
2019-05-06	Saima Usman	Cross-site scripting (XSS)	Open Archives search (placename)
2019-05-10	Kerem Tamcı	Cross-site scripting (XSS)	Open Archives overview2 page
2020-01-18	Yogeshwaran Chandrasekaran	Improper Data Validation & Broken Authentiction	Genealogy Online password reset
2020-01-27	4N_CURZE	Cross-site scripting (XSS)	Genealogy Online language selector
2020-03-31	4N_CURZE	Cross-site scripting (XSS)	Genealogy Online unescaped url parameter
2020-06-01	Script_Kiddie	Cross-site scripting (XSS)	Open Archives language setting page
2021-06-26	gaurang maheta	Security Misconfiguration	Genealogie Online showing composer.json/lock
2022-11-01	Kasper Karlsson of omegapoint.se	Cross-site scripting (XSS)	Genealogie Online search

Big thanks to the above mentioned security experts for their reports!

Questions about responsible disclosure?

If you have any questions about the way Coret Genealogy handles responsible disclosure, please contact us at responsibledisclosure@coret.org. We are happy to help you.