Opslaan

Werken bij McDonald's

What we ask of you:

Please submit the report to our account https://hackerone.com/maximum or email your findings to sysop@maximum.nl. If possible, encrypt the email with the PGP-key of sysop@maximum.nl. This will prevent the wrong people benefitting from the information.
To provide enough information to reproduce the safety issue, ensuring that we can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description and proof of concept could be necessary.
To provide your contact details, either an email address or a phone number, so Maximum can contact you.
To not share the information regarding the safety issue until it has been solved.
To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue.

Please do report:

  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication
  • Circumvention of our framework's privacy and permission models
  • Remote Code Execution

Please do not report:

  1. Username dictionairy attack
  2. Self-XSS
  3. Missing / loosely configured DNS SPF records
  4. Social hacking
  5. Publicly accessible login pages for cms/admin area
  6. Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
  7. Denial of Service Vulnerabilities
  8. Missing HSTS header / Secure cookie flag (https on this site is not enabled in every part of the world)
  9. Missing DNSSEC (we're working it)
  10. Password reset email capture
  11. Attacks requiring DNS takeover
  12. Missing CSP headers (we're working on it)
  13. Missing Public Key Pinning headers
  14. Mail relay server configuration issues

Whatever you do, please avoid the following actions:

  1. Spreading or distributing malware.
  2. Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
  3. Changing the system.
  4. Repeatedly acquiring access to the system or sharing the access with others.
  5. Making use of “bruteforcing” the access to the system.
  6. Making use of a denial-of-service or social engineering.

What you can expect:

  • When a shortcoming in werkenbijmcdonalds.nl is reported accordingly to the above stated terms and conditions, we will not articulate any legal consequences to the notification.
  • Maximum will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement.
  • After consultation, we can acknowledge you by publishing your name as the one who identified this particular safety issue.  
  • Within one working day, the system operator will send you a confirmation of receipt.
  • Within three working days, the system operator will send you an evaluation of the safety issue. This will include an estimation of the time that it will take to solve the problem.
  • The system operator of werkenbijmcdonalds.nl will keep you updated on the progress of solving the safety issue and will try to resolve the safety issue as soon as possible, within a maximum time period of 60 days. After consultation with Maximum, it can be decided if and how the resolved safety issue will be published.
  • To thank you, a reward will be offered by Maximum. This reward will vary depending on the seriousness of the issue and the quality of the report.
     

PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFmv3pQBEAC9BUzhzk6zk8b9acpCfOWt+m/paB1IKOUy9kK+rnYr91Ws4NcL
UJcx0G8xesiG+JyXGCvEzXXykIT2/DCgGI0Ea2/PJheo/0b2O9dAMPknaq749gKP
yRfKxCwIkiTCorX2PwOrl/nkfSt1xD7+CLKKkYPik1T4gKuw/ZeeLpO2f+UK5nF8
VFBuNdZouV2qdZVurWxGQ6++6cnvNCAVy3AdBaK/nMFwtD61WSYCLFXbZwdr/rS5
JauWkCqbNsSh6oUtR/8HytHhtm+dCjW0jXuEFBuo73+84BOOT+Z3+ATr82uy0+Kh
dcgj7jUka1UW4ZB/KbVAG5q+tshPoD/OfNHpm1U45kE5Vbh7Cg2ml1PeuEidtH9q
eUalCBREWkIo1mVp4fThkhsGijld49k0t3lU8SnIlTDOeycWyHgRSjAp5Ghjb9vA
oyTCuG4FEpME+E63zi4IBrFr6gc0QpHSlEc8lasy+YiKbS1tyYWz4PwN4nAsx0by
LypnXoIqtmcfBgAeZGIYAj1E5ShXkmDkBLm0tTPucnpsgjQFHgsr3epwkDernUrw
reRd2+HPvrWG0EWRYMXbVcCehi/xni9W+dHI613rMrIf6+aMET5KFRo+kbLBu10M
sNZTkB3lfKnTe/gcdNfWX/5i4K4IN48PB8dKiwY+s1nnor22JwPULHlxiQARAQAB
tCNzeXNvcEBtYXhpbXVtLm5sIDxzeXNvcEBtYXhpbXVtLm5sPokCPQQTAQoAJwUC
Wa/elAIbAwUJCWdTAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCZz26WyZzD
OOoND/0Y18VgZal8V1F4n8T3utONpSmPelaOF8iJ5/YP0qhkH2gSCBBVGrDQOGXk
4eCkb/lHfU9bvHCGNhBgQuoYX1JV0nWfWXULu3nLSQ7edMEvzm3Kcn40KMxhNGVb
6yYno95eFrHntkivNP0PE5BzxRmMFJJVhRcNpyidlb27293lkWQRcCkaknsKGTHw
s/uK8DkRVKsVTsRtD6KQzmncq4zwTJo4qCuP08zZ8cl2wepyxHGrRp48dx0PzZN7
+VdVg5Me1L8brpyKsF7ZqTPQGnwjYSYuoK5JLJw5TIo3aJ5g1fq6RGQX2V/J0pnG
SjqKtL1hVM/N2/rvFV6J4KvDQ8Ew2NsAohcquCaHjIWaPkDDttbgROpbXgJK04tf
H9738pUx1rwHAww1PWrqNCdU2Qy/66/x+5GAwJKoRLfqbG1dpK3/I5ahaV79rG7z
pukLvEels4AGBy6w9PAdFWhEiT3VZjp9CcgT4Nowu6ZSZCv7+L5nqsHRKutcYrgT
nsrOkKMrv804zrsXVBZU1W0PGcX1I/IbvH0d3nSuq9PSqw+YWb17hN6JK4A5oYzI
tL6W3VlMl2r9HbzjDf3ftatUvDpGOzE5+QLcT6EYBtnteO0fmdgRkKsMHgrRKi04
uK4wikFUWT0Pq+n+ye+MzS8XN4w++Vykr5bmt/FJ3HrwaOgwmbkCDQRZr96UARAA
tbNJTPR2OS5U6gNVqmm1jdyEMvQO4EunCdU8rVWHUsf+qcvxA0NrOgYXWgPLDSNB
FVW5/10scX3MHcKTjCtUk6jTl/NpxQ3VAChTV2kNA8WmB6Qys2aoME/6ZWbD5ASi
8mN5xosrjN0UkYYt570VFV8re7ZLOOBCMI8Vyic99mIvtr0ZzMnuzhF5rNw6Wd1y
Rqep7aRZr+8c1HHUvhRsZaHmClFI4DY112pjSw2h+weYrtirP84kuoOL77RBv8yP
qRMZOJdI+6mEwvtQmgnX4Di3rM2zTIt75GX7zKemdykEqW/FZB+2gLEI1T5lR2f7
O4AIhiKO2fjbaNimLjdwM8ObzibYdZHdvlhgRHw2ME9gm5c5SfNUsW/B9Wwloolj
7cy2LUt0OwYHM/6xPIGfMXOWXWovCAiu6WGFF+Czp3RMZofCs2+ufv8bInuSrsvL
W7IDF72Bgc8wFm6D5vP0+UDpvXqjv3mz4MxWyOs9J8dtB4K0SfYQBrGVvuMlFjq7
g5ktQjJTI6nBd0PYLKlP8o6uo42oIe/OjLrK0VWLFgDrQb8g203NAqFf7dALzGoo
Ao+Z+0c24cC3iGJZql46LpZoftKQDWqB9yH0dQkKnJO78HJKFZBCmwd6pg2znw6y
aRfl28/O5vfYz0ryZT79s+lG4xbfkM6mme+4hj9SEQ0AEQEAAYkCJQQYAQoADwUC
Wa/elAIbDAUJCWdTAAAKCRCZz26WyZzDONwJD/427YQY3t8QQmRcXZca6WQcmkRn
SDTsKg0KZNxfH3gLCUts6luSXL7rHuM+AIfWMhaIdoYJb7X62/okiVqw8CFPIQpl
QPn7dk/6Q0dND7XYYP0GFUin8/qPXK7/dIZdbFIpI5mbHNMG2YesGwzUxmYPjfeg
Pou1ZjNgbi5jCoathokX2xvsfSKRSStwnu5WUvckh0AYIxxnvyiq/hRi961sQwbk
71D9JfzsQtMfcIcMMP6peTJwyoJ6Z2un/Enev0Ed1Y5xE7P11hdlF/pJncv8DoKO
wOUAbQqBZvHPe+4W5cORorVhGzgM6aes9Bdn6ps8aVvsPqHySt3vfQeOp/PVF9Lo
33JmtPs0MaVVNXGW8HVhNX6DbmWEatCKTyi8WmFbA3Ob+K8ayJJKIAtNRcSnMiWm
YqymUB4GeLRuNUsWK+CvK1Qn8Z8r2bVYRssaxXr5le/XzjhcSe9lXUuRe8fC1AZY
HO0nG/2unW5BggwYZDXs8OagIFxn8b/VWJLxCQitoGHvw2gFKon+C3gz/t5wxNd/
abPdFrAT02CVEIMxPNq4Da5MX0BdBiuAC3GdN33IofWrN9d5LyGd5ojalL7M9D/x
aFr1TJPX7g+AX82NBoYZpwVOMdIBKzP/BoIHm8nuOzb9q5Akv0zhZcHRMm5uacDt
M4948JDKqEOEc6Xing==
=fCp7
-----END PGP PUBLIC KEY BLOCK-----