Disclosing Security Vulnerabilities
We encourage security researchers to report or disclose security vulnerabilities to us and we also offer a
bounty program to those who are eligible, please read on to learn more about the rules, guidelines and other
Rules when reporting vulnerabilities
- Avoid gaining access to another user’s account, devices, or data.
- Do not perform attack that can impact the availability and reliability of our services or data. Running automated DDoS or SPAM attacks are not allowed.
- Do not publicly disclose the bug before it gets fixed.
- Do not use scanners or automated tools to find vulnerabilities as it creates lot of noise in our logs and we’ll be forced to ban your IP or suspend your account.
- Attempts such as non-technical attacks i.e social engineering, phishing, attacks against our employees and users are not allowed.
- Only sites listed below are allowed for security testing:
- Have any questions, feel free to contact firstname.lastname@example.org.
Rules for us to follow
- We’ll respond as quickly as possible, but do give us 48hours to respond.
- We’ll keep you posted as we roll out the fix for the bug you reported.
- We’ll not take any legal action against you if you adhere to the rules.
- Previously reported issues which we’re already aware of or are in the process of fixing or has determined to be not eligible are out of scope.
- Spam (including issues related to SPF/DKIM/DMARC) are out of scope.
- Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari).
- Bugs related to browser extensions are also out of scope.
- Insecure cookie settings for non-sensitive cookies.
- Disclosure of public information and information that does not present significant risk.
- Scripting or other automation and brute forcing of intended functionality.
- CSRF for non-significant actions (logout, etc.)
- Timing attacks to prove the existence of an user.
- Bugs requiring very unlikely user interaction.
- If you’re an employee or ex-employee of Scalefusion (ProMobi Technologies).
- Have any questions, feel free to contact email@example.com
How to report issues?
Writing a good vulnerability report is extremely useful for the development team to understand and analyze the impact, it is also likely to be picked up quickly for fixing because a clearer report reduces the need of multiple communications. We suggest that you follow this excellent HackerOne guide on how to write a good vulnerability report.
Send your vulnerability report to: firstname.lastname@example.org
- How is the bounty reward determined?
Our development and security team considers multiple factors to determine the appropriate reward. We analyze the complexity of successfully exploiting the reported vulnerability, percent of impacted users, potential exposure and classification of vulnerabilities. A critical vulnerability may have a low impact area because of some other protections in place or it requires a special interaction or depends on outdated configuration in users systems.
- How the reward is paid?
The reward will likely be paid through PayPal, unless we notify you otherwise. You may have to fill up some paperwork for our accounting department for compliance purpose.
- Are there any legal terms for the Bounty payment?
When your reported issue is eligible for bounty and you accept the bounty payment then you have to read and agree to our terms of service agreement.
- If you’re participating from a country against which India has export sanctions put in place or trade restrictions then we’ll not be able to pay you the bounty amount.
- If you’re participating from a country against which Uited States or United Nations has export sanctions put in place or trade restrictions then we’ll not be able to pay you the bounty amount.
- You’re solely responsible for any applicable taxes, withholding or otherwise, including from any bounty payments.
- By reporting the issues you’ll not violate any applicable laws in your country or disrupt anything that you do not own.
The bounty amount can range from $50 - $1000, we reserve the right to change the limit in future. The bounty amount will be
determined based on the following classifications:
- Insecure Direct Object Reference
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- Security Misconfiguration
- Incorrect Session Management or Broken Authentication
- Missing or Incorrect Access Control
- Sensitive Data Exposure
- SQL Injection
- OWASP TOP 10
Have any questions, feel free to contact email@example.com.