# NKHN: Responsible disclosure of security incidents
We assess all reports based on business risk impact and criticality. NKHN may provide rewards (e.g. bug bounty) to eligible reporters of qualifying original vulnerabilities. We appreciate your help in disclosing the issue to us responsibly.
We make every effort to be fair and consistent. We may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities with low impact. P1 being the highest (RCE and such) and P5 the lowest (misconfiguration or expired certificate).

# Scope
NKHN initially covers the following assets for reporting:
    1) nkhn.nl
    2) sander.grids.be
    3) 0x4.eu
    4) getgoing.nl
    5) grids.be

# Rewards
We only reward the first reporter of a valid vulnerability that demonstrates the issue using their own account. Duplicate reports will not be rewarded. You are responsible for paying any taxes associated with the reward. Additionally your name or handle can be named in the Hall of Fame on https://nkhn.nl/hall-of-fame.html.

# Submission Process
If you find a security vulnerability, please submit them by email to security@nkhn.nl. If the nature of your report warrants encrypted communication, you can use the GPG key for security@nkhn.nl (0x153B67596A3006F8), available at https://keys.openpgp.org/vks/v1/by-fingerprint/F0C956D795BE6A95D5042921153B67596A3006F8 Rewarded reports will payable by Paypal.

## Rules for reporting and testing
* Do not publicly disclose any details of the vulnerability.
* Do not cause an interruption or degradation of our service.
* Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior.
* Do not compromise, destroy, alter, or remove any data from our systems.
* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
* Do not use automatic tools to check on the status of your vulnerability submission.
* Any vulnerability found must be reported no later than 48 hours after discovery.

## What we are looking for
* Remote Code Execution (RCE)
* Server-Side Request Forgery (SSRF)
* SQL Injection
* Server-side Remote Code Execution (RCE)
* XML External Entity Attacks (XXE)
* Directory Traversal Issues
* Local File Disclosure (LFD)
* Content Spoofing

## Out of scope
Reports on this are appreciated, but only rewarded with a mention in the Hall of Fame (https://nkhn.nl/halloffame.html). These include, amongst others:
* WordPress XMLRPC brute force attacks
* Cross Origin Resources Policy Misconfiguration (CORS)
* Banner grabbing issues to figure out the stack we use or software version disclosure
* Open ports without a vulnerability
* Disclosure of known public files or directories, (e.g. robots.txt)
* HSTS or CSP headers
* User Enumeration
* User/email enumeration
* Missing HTTP Security Headers
* Web Server Version Disclosure
* Outdated Web Server Version
* Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
* OpenSSH version issues
* Clickjacking
* HTML Injection
* Comment Injection
* Missing XXS Protection Header