Vulnerability disclosure policies (VDPs)

book reader icon
2 Minutes
facebook logo gray
linkedin logo gray
mail logo gray
Vulnerability disclosure policies (VDPs)
Disclaimer: Please note that we are already working with a skilled pool of security experts. If you are not a partner of us, we will not be able to process your findings unless they are of the level High or Critical and you provide us with a POC.

Severity Levels


Description
CriticalMay allow attackers to access sensitive data and run server side code on your application
HighMay allow attackers to access sensitive data in your application
MediumUnder some conditions, may allow attackers to access sensitive data on your application
LowApplication may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application

Submission of a finding

If you are already a partner of us or you have found a vulnerability with the level High or Critical, please submit your findings to [email protected]

Reward

Depending on the vulnerability we will reward you with a bug bounty. You will be rewarded always at the end of the month. All bugs that you have reported and that have been fixed by us with in the last month will be collected and rewarded accumulated in one bounty.

Please read the following points what vulnerabilities are accepted, and
which ones are out-of-scope.

Vulnerabilities accepted

Accepted, in-scope vulnerabilities include, but are not limited to:

  • Broken Authentication and Session Management
  • Injection vulnerabilities
  • Cross Site Scripting (XSS) - Note: any report based on JavaScript being inserted on a landing page will not be fixed nor rewarded.
  • Remote Code Execution
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Using Components with Known Vulnerabilities
  • Directory/Path transversal
  • Exposed credentials

Out-of-scope

Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:

  • MITM Reflected XSS
  • Cross-Origin Resource Sharing (CORS) vulnerabilities
  • MIME sniffing vulnerabilities
  • CSP header vulnerabilities
  • Social Engineering attacks
  • Race conditions
  • Account enumeration using brute-force attacks
  • Weak password policies and password complexity requirements
  • Leaked accounts because of weak passwords
  • Missing http security headers which do not lead to a vulnerability
  • Reports from automated tools or scans
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL/TLS issues, best practices or insecure ciphers
  • Test versions of applications
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Software version disclosure / Banner identification issues
  • Tab nabbing
  • Open redirects
  • Issues that require unlikely user interaction
  • Solutions affected by known CVEs published less than 30 days ago
Last update 1 week ago