Skip to main content

Issue Resolution and Parked Domains

Sven Gerhard
  • Updated

 

Background

https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

Rules for parked domains:

  • We accept remediations for domains that are parked (only if they don’t redirect to an active website) if they are from the Application Security category.

  • We recommend SPF records for all parked domains.

    • SPF record findings on parked domains are accepted circumstantially; security policy standards are that SPF records are only “recommended” but not an essential mandatory security policy. 

  • Correctly attributed domains that are "parked" will not be removed from the scorecard digital footprint. 

  • If domain is GoDaddy or Domain Register page, remediation will be accepted.

Sample Issue = Site does not enforce https.

The domains were  purchased so that they can’t be used maliciously, or so that they can’t be purchased by anyone else. The domains were parked where they were purchased, with the various hosting companies. There is no data on them, they just have a default parked page that the hosting company creates that shows it’s a parked page.

 

Reasons For Remediation Acceptance

SecurityScorecard will accept the refuted domains if:

  1. There are no DNS records (especially no NS record)

  2. If there IS an NS record, it must have an SPF record

  3. If the domain resolves to any site, that site must have HTTPS (SecurityScorecard would not accept refutes in the HTTPS category if the domains resolved)

If there are no DNS records, and especially no NS record, SecurityScorecard will accept refutes on the SPF record finding. 

SecurityScorecard will assess parked domains or assets that do not redirect to a default page that serves content. These domains can redirect to a landing page or registrar (GoDaddy for example or any defaulted landing page) but if domains are redirected to the main site, these issues will not be allowed for removal.

These parked pages will be allowed for removal from the other issue types under Application Security per the current policies by SecurityScorecard if the above conditions are met for the domains in question.

SecurityScorecard recommends having security headers in place but for parked assets, this is not mandatory.

 

Screen_Shot_2020-06-09_at_1.19.41_PM.png

Related articles