• Skip to main content
  • Skip to footer
RISKREX – Digital Risk Management – RISKREX

RISKREX - Digital Risk Management - RISKREX

Eine weitere WordPress-Website

  • Start
  • Use Cases
  • Partner
  • Pricing
  • Login

Security Disclosure Policy

AWARE7 highly appreciates the detection of security vulnerabilities, which is carried out by well-intentioned, ethical security researchers. We strive to thoroughly investigate and solve security problems in our platform and services in cooperation with the community. This document aims to define a method by which AWARE7 can work with the community to improve security.

Scope

This Security Disclosure Policy (SDP) applies only to vulnerabilities in AWARE7 products and services under the following conditions:

Only vulnerabilities that were not originally and previously reported and not already discovered by internal procedures are included in the scope of the SDP.

Only domains that have a security.txt file in their root are included in the scope. Sub-domains are included in scope if their parent domain is in scope. (i.e. the existence of: https://riskrex.com/.well-known/security.txt means that app.riskrex.com and www.riskrex.com are also included in the scope).

 

The following security issues are currently not in scope (please do not report them):

  • Volumetric vulnerabilities (i.e. simply overloading our service with a high volume of requests).
  • TLS configuration vulnerabilities (e.g. „weak“ cipher suite support, TLS1.0 support, sweet32 etc.)
  • Reports of non-exploitable vulnerabilities
  • Reports indicating that our services do not fully comply with best practice, e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email-related configuration (SPF, DMARC etc.)
  • Social engineering attacks such as phishing, vishing, smishing or impersonation

Bug bounty

Unfortunately, due to various internal factors, we are currently unable to offer a paid bug bounty program on a regular basis. However, we would like to give a token of our appreciation to security researchers who take the time and effort to investigate security vulnerabilities and report back in accordance with this policy. Reporters of qualified vulnerabilities will be rewarded with a unique AWARE7 or monetary reward.

Reporting a vulnerability

If you have discovered an issue that you believe is a security vulnerability within the scope (see Section 2 above for more details on scope), please send an email with the following information to security@aware7.de:

The website or page where the vulnerability exists.

A brief description of the class (e.g. „XSS vulnerability“) of the vulnerability. Please avoid at this stage any details that would allow the problem to be reproduced. Details will be requested later via encrypted communication.

In accordance with industry conventions, we ask reporters to provide benign (i.e. non-destructive) evidence of exploitation wherever possible.

This will help ensure that the report can be reviewed quickly and accurately, while reducing the likelihood of duplicate reports and/or malicious exploitation for some classes of vulnerabilities (e.g. sub-domain takeovers). Please ensure that you do not send proof of exploitation in the first plain text email if the vulnerability is still exploitable. Please also make sure that any evidence of exploits complies with our policies (below). If in doubt, please send an email to security@aware7.de. Please read this document completely before reporting vulnerabilities to ensure that you understand and can act in accordance with the policy.

Expectation

In response to your initial email to security@aware7.de, you will receive a confirmation response email from the AWARE7 security team, usually within 24 hours of receiving your report. After the initial contact, our security team will evaluate the reported vulnerability and respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability falls within the scope of the above-mentioned section or whether it is a duplicate report. From this point on, the necessary corrective action will be assigned to the appropriate AWARE7 teams and/or suppliers.

Priority for bug fixes and/or mitigations will be assigned based on the severity of the impact and the complexity of the exploitation. Vulnerability reports may take some time to review and/or fix, you are welcome to inquire about the status of the process, but please do not limit this to once every 14 days. This helps our security team to focus on the reports as much as possible. Our security team will notify you when the reported vulnerability is resolved (or remediation is planned) and will ask you to confirm that the resolution adequately covers the vulnerability. We will provide you with the opportunity to provide feedback on the process and the vulnerability resolution. This information is used confidentially to help us improve the way we handle reports and/or develop services and fix vulnerabilities.

Instructions

Security researchers must not:

access unnecessary amounts of data. For example, 2 or 3 data sets are sufficient to prove most vulnerabilities (e.g. an enumeration or a vulnerability with direct object reference);
violate the privacy of AWARE7 users, employees, contractors, systems, etc. For example, by sharing, redistributing and/or improperly securing data accessed from our systems or services;
Communicating vulnerabilities or related details of methods not described in this policy or to anyone other than your specific BBC security contact;
changing data in our systems/services that is not your own;
disrupt our services and/or systems; or
Disclosure of vulnerabilities in AWARE7 systems/services to third parties/the public before AWARE7 confirms that these vulnerabilities have been mitigated or fixed. This does not prevent a vulnerability from being reported to third parties to whom the vulnerability is directly relevant, e.g. if the reported vulnerability is in a software library or framework – but the details of the specific vulnerability of AWARE7 may not be disclosed in such reports. If you are unsure about the status of a third party to whom you wish to send an alert, please send an email to security@aware7.de to resolve the issue.

We request that all data retrieved during the investigation be securely deleted as soon as it is no longer needed and no later than 1 month after the vulnerability has been resolved, whichever is sooner. If at any time you are not sure whether the measures you are planning to take are acceptable, please contact our security team (please do not include sensitive information in the initial notification): security@aware7.de.

Legal information

This SDP is designed to be compatible with the usual good practice of security researchers. It does not give you permission to act in a manner that violates the law or to allow AWARE7 to breach any of its legal obligations. This includes, but is not limited to:

  • The hacker paragraph §202c of the german penal code
  • The GDPR

AWARE7 will not prosecute security researchers who report a security vulnerability in an AWARE7 service in good faith and in accordance with this SDP.

Feedback

If you have any feedback or suggestions regarding this policy, please contact our security team at security@aware7.de. This policy will evolve over time, and your input is valued to ensure that it is clear, complete and remains relevant.

What’s the score?

 
RiskRex provides companies and government agencies with independent insight into the security behavior and practices of their own organization. If required, supply chains and business partners can also be reviewed.

 

RiskRex evaluates companies on an easy-to-understand 1-100 system for both the overall safety assessment and for individual risk factors. A security evaluation is a measure of the company's security on the Internet.

 

It is based on information collected over the Internet and through RiskRex's proprietary data collection in combination with commercial and open source data sources. Different algorithms are applied against this data to calculate an assessment appropriate to the risk.
 

What does the score mean?

 
Put simply, a company with a high rating of over 73 points is about 5 times more likely to be a victim of cybercrime than a company with less than 33 points. Some individual cases, such as patch levels or application security, are even more meaningful and usually result in a score above 90.
 

Then companies are up to ten times more likely to be potential victims. A high rating does not automatically mean that a company will be successfully attacked tomorrow, but we know that companies with a lower score have a lower risk.
 

How does Risk Rex calculate the score?

 
RiskRex uses externally observable data about compromised systems, security measures, user behavior and public announcements to calculate a company's security rating.
 
In addition, findings from Internet scans carried out by the company itself are incorporated. All companies - whether they are customers or not - are evaluated according to the same criteria.
 

Why can the score help my company?

 
As you are no doubt aware, "cyber risk is business risk" applies today. However, if this "truism" is too broadly defined for you, you can further break down the meaning of the security ratings with the help of our score.
 

First, you need to know the condition and status of your own infrastructure in order to be able to assess the risk objectively. What is the level of security throughout the company? Can it withstand threats and attacks? How much budget should we budget for if we want to improve our infrastructure?
 
Today, globally and nationally operating companies are usually not solely responsible for providing a service or technology. Supply chain security ratings help you assess and manage third-party risks that interact with your products, services, networks or other outsourced resources. RiskRex enables companies to audit potential suppliers and identify and inspect problems within their existing supplier or partner network.
 
Finally, there is a growing need and supply for cyber-insurance. The cost of one of these cyber insurances ultimately depends on the cyber strategies of the company that wants to take out the insurance. The lower the risk, the better the price of the insurance. Companies can improve their strategies by incorporating security assessments, tracking improvements to their infrastructure and processes, and demonstrating the lowest possible rating.

Where and how is data collected?

 
RiskRex's security assessments are based on hundreds of different data sources available on the Internet, Dark- and Deepnet.

 

These sources are carefully curated by our technical staff. If new sources are to be added, they are carefully checked. Some sources are proprietary, some are based on partner relationships and some are obtained through open source data. The global threat and vulnerability landscape is constantly changing, so once a source is included in Risk Rex, we constantly review it for accuracy.

 

Is that legal?

 
Yes. All information we collect comes from visible and traceable sources.
 
Our product is non-invasive and does not require its own agents or software to be used. The information we collect is available to anyone who chooses to collect it. Schufa, Moody's, Creditreform and others have set a precedent for the collection of data and the presentation of an evaluation based on it. Similar to these companies that have established industry standards and ratings, our algorithm is based only on objective, verifiable and comprehensible data.
 

How can I improve my score?

 
Our scores are based on historical measurements taken over many years. This means that the score does not necessarily improve overnight.
 
RiskRex provides you with resources and strategies for the various risk vectors found, which you can use to improve your rating. You can also use RiskRex to indicate that you have corrected a weakness, in which case we will not include it in your individual calculation.
 
Is there a way to evaluate the company with regard to BSI Grundschutz, NIST, ISO or other standards?
The framework that enables our assessments can be aligned with the principles of several industry-leading standards - including NIST 800-53, ISO, PCI, HIPAA, BSI Grundschutz and others. This allows you to pre-audit your organization for possible pending certification.
 

Register and use

RISKREX


to uncover technical and human vulnerabilities, close security gaps and track the success of your cybersecurity strategy


Footer

RISKREX

Digital Risk Management

A product of the
AWARE7 GmbH
Munscheidstr. 14
45886 Gelsenkirchen
Imprint | Privacy Policy | GTC | SDP
Login