LocalTapiola: Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi

2016-04-25T14:06:49
ID H1:134406
Type hackerone
Reporter konqi
Modified 2016-05-12T11:45:47

Description

Issue

The reporter had found an open .git folder on one of our out of scope domains.

Fix

The issue was investigated and found to be valid. The source code was removed from the public server. The source code did not contain any business critical information and customer information was never at risk.

Reasoning

Most out of scope reports are closed as informative as they are not part of the bug bounty program but might provide good information (please see the policy for more information). As LocalTapiola does take security seriously, there are cases where actions are warranted also on out of scope reports. In this specific case, as actions were taken to fix the issue, there was a decision to award the reporter with swag and do a limited public disclosure.