Security Contact Information

Security Contact Information

EN TR

Scope

  1. siberkulupler.com
  2. ctf.siberkulupler.com
  3. form.siberkulupler.com
  4. link.siberkulupler.com


Primary Communication Channel for Vulnerability Reports

  1. Contact: [email protected]


Accepted Languages

  1. Turkish
  2. English


Hall of Fame

  1. https://siberkulupler.com/hall-of-fame


Out-of-Scope Vulnerabilities and Attack Types

It is generally considered against program rules for security researchers to perform the following tests or report on these topics, and such submissions will not be eligible for reward or Hall of Fame consideration:


1. Service Disruption and Infrastructure Attacks

  1. DoS / DDoS Attacks: Any Network or Application layer denial-of-service attacks intended to disrupt the availability of the systems.
  2. Destructive Testing: Harmful tests that could cause data deletion, corruption, or system crashes.
  3. Automated Scanners: Reporting raw outputs directly from automated vulnerability scanning tools (Nessus, Acunetix, Burp Suite Pro, etc.) without any manual verification.
  4. Domain / Sub-domain Takeovers: Domain or sub-domain takeover attacks.


2. Physical Security and the Human Factor

  1. Social Engineering: Social engineering attacks such as Phishing, Vishing, or Smishing targeting Siber Kulüpler members, administrators, or users.
  2. Physical Security: Physical access attempts or tests targeting the data centers where servers are hosted, or the office/home networks of team members.


3. Low Impact or Theoretical Vulnerabilities

  1. Self-XSS: XSS vulnerabilities that only execute within the user's own browser and do not affect other users.
  2. Logout CSRF: CSRF vulnerabilities that only result in the user logging out of the system.
  3. Security Headers: Missing HTTP security headers (X-Frame-Options, CSP, HSTS, etc.) unless a clear and exploitable impact is proven.
  4. Missing Email Authentication: Lack of SPF, DKIM, and DMARC records, unless a successful email spoofing scenario is demonstrated.
  5. Rate Limiting / Brute Force: Lack of rate limiting on non-critical endpoints (e.g., missing limits on contact forms).
  6. Non-Sensitive Information Disclosure: Disclosure of software version information, server banners (e.g., Server: nginx/1.24.0), or non-confidential files.
  7. Clickjacking: Clickjacking reports on pages that do not involve sensitive actions.


4. Third-Party Systems

  1. Vulnerabilities in third-party service providers, plugins, or infrastructures that are not under the direct control or ownership of siberkulupler.com (e.g., a third-party email service or hosting provider).
  2. cdn.siberkulupler.com/*


Menü
Etkinlikler Kulüpler Kurslar İş & Staj Blog CTF
Giriş Kayıt
Tema Değiştir