Bountytalk Launched

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Angelina

Pages: [1] 2 3 ... 24
1
Bug bounty programs / RollBar Bug Bounty
« on: September 20, 2023, 07:27:08 PM »
submit bug report: https://docs.rollbar.com/docs/responsible-disclosure-policy

Responsible Disclosure Policy
Suggest Edits
Rollbar aims to keep its Services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.

Rollbar will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won't take legal action against or suspend or terminate access to the Services of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Rollbar reserves all of its legal rights in the event of any noncompliance.

Capitalized terms used in this Responsible Disclosure Policy and not otherwise defined have the meaning ascribed to such terms in our Terms of Service.

Testing
You may test only against an Account for which you are the Account owner or a Member authorized by the Account owner to conduct such testing. In no event are you permitted to access, download or modify data residing in any other Account or that does not belong to you or attempt to do any of the foregoing. You are also prohibited from:

executing or attempting to execute any "Denial of Service" attack;
knowingly posting transmitting, uploading, linking to, sending or storing any Malicious Software;
testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages;
testing in a manner that would degrade the operation of the Services;
testing third party applications or websites or services that integrate with or link to the Services.
Reporting
Share the details of any suspected vulnerabilities with the Rollbar Security Team by sending an email to [email protected]. Please do not publicly disclose these details without express written consent from Rollbar. In reporting any suspected vulnerabilities, please include the following information:

Vulnerability details with information to allow us to efficiently reproduce your steps
Your email address
Your name as it should be displayed on this page if you would like it to be
Your Twitter handle or website as it should be displayed
Compensation Requests
Requests for monetary compensation in connection with any identified or alleged vulnerability will be deemed noncompliant with this Responsible Disclosure Policy.

Our Commitment
If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, Rollbar commits to:

Promptly acknowledge receipt of your vulnerability report
Provide an estimated timetable for resolution of the vulnerability
Notify you when the vulnerability is fixed
Publicly acknowledge your responsible disclosure

2
Bug bounty programs / Robeco Bug Bounty
« on: September 20, 2023, 07:26:17 PM »
submit bug report: https://www.robeco.com/en/responsible-disclosure.html

Working on system security
Every day, specialists at Robeco are busy improving the systems and processes. This helps to protect the details of our clients against misuse and also ensures the continuity of our services. However, this does not mean that our systems are immune to problems. If problems are detected, we would like your help.

What can we expect from one another?
Report any problems about the security of the services Robeco provides via the internet. If you discover a problem or weak spot, then please report it to us as quickly as possible. Examples of vulnerabilities that need reporting are:

cross-site scripting vulnerabilities
SQL-injection vulnerabilities
encryption weaknesses
What do we expect from you?
Ensure that you do not cause any damage while the detected vulnerability is being investigated. Your investigation must not in any event lead to an interruption of services or lead to any details being made public of either the asset manager or its clients.

What do we do with your report?
A team of security experts investigates your report and responds as quickly as possible. We ask you not to make the problem public, but to share it with one of our experts. Give them the time to solve the problem. We will let you know what our assessment of your report is, whether we will provide a solution and when we plan to do that.

Rules of the game
There is a risk that certain actions during an investigation could be punishable. If you act in good faith, carefully and in line with the rules of the game supplied, there is no reason for Robeco to report you. So follow the rules as stated in these responsible disclosure guidelines and do not act disproportionately:

Do not use social engineering to gain access to a system.
Do not place a backdoor in an information system in order to then demonstrate the vulnerability, as this can lead to further damage and involves unnecessary security risks.
Make as little use as possible of a vulnerability. Only perform actions that are essential to establishing the vulnerability.
Do not edit or delete any data from the system and be as cautious as possible when copying data (if one record is enough to demonstrate the problem, then do not proceed further).
Do not introduce any system changes.
Do not try to repeatedly access the system and do not share the access obtained with others.
Do not use any so-called 'brute force' to gain access to systems. After all, that is not really about vulnerability but about repeatedly trying passwords.
How should you submit a report?
If you have detected a vulnerability, then please contact us using the form below.

What does not need to be reported via the disclosure point?
The disclosure point is not intended for:

submitting complaints about services
making fraud reports and/or suspicions of fraud reports from false mail or phishing e- mails
reporting viruses
submitting complaints or questions about the availability of the website

3
Bug bounty programs / RSK Bug Bounty
« on: September 20, 2023, 07:24:55 PM »
submit bug report: https://developers.rsk.co/contribute/bug-bounty-program/

Bug Bounty Program
IOVLabs has created this bug bounty program to reward security researchers that dedicate time and effort to improve the IOVLabs platforms.


<< Contribute

4
Bug bounty programs / Onfo Bug Bounty
« on: September 20, 2023, 07:23:15 PM »
submit bug report: desk.com/help-center-closed/?utm_source=helpcenter-closed&utm_medium=poweredbyzendesk&utm_campaign=text&utm_content=onfo.zendesk.com


Champions of customer service
OUR PRODUCTS
Zendesk for service
Zendesk for sales
Sunshine Platform
Marketplace
Product updates
TOP FEATURES
Ticketing system
Messaging & live chat
Help center
Voice
Community forums
Reporting & analytics
Answer Bot
Customer service software
Ticketing system software
Live chat software
Knowledge base
Forum software
Help desk software
Workforce management
RESOURCES
Security
Product support
Request a demo
Blog
Training
Partners
Webinars
Customer Stories
Services
COMPANY
About us
Newsroom
Investors
Events
Careers
Diversity & Inclusion
Accessibility Plan
Sustainability
Contact us
Sitemap
System status
Zendesk Foundation
Legal
FAVORITE THINGS
What is Zendesk
Zendesk for Enterprise
Zendesk for Small Business
Zendesk for Startups
Zendesk Benchmark
Gartner CRM Magic Quadrant
Customer Experience Trends
What is CRM?
CRM software guide
Join our research panel

5
Bug bounty programs / Notion Bug Bounty
« on: September 20, 2023, 07:21:40 PM »
submit bug report:https://www.notion.so/Responsible-Disclosure-Policy-5f18bb6b86804eaf989c006131778b9c

# Response Targets

Notion Labs, Inc. will make a best effort to meet the following response targets for hackers participating in our program:

- Time to first response (from report submit) - 3 business days
- Time to triage (from report submit) - 10 business days
- Time to resolution (from report submit) - Varies depending on severity

We’ll try to keep you informed about our progress throughout the process. Feel comfortable reaching out with any questions.

# Disclosure Policy

- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).


6
Bug bounty programs / Nextcloud Bug Bounty
« on: September 20, 2023, 07:18:48 PM »
submit bug report: https://nextcloud.com

We're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our dedicated security page.
Program policy
We know how valuable your time is and employ a "No bullshit policy" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:
Bugs within Nextcloud server and apps supported by Nextcloud GmbH (Note: see scope below for all qualifying and packaged components. Third-party apps from the AppStore are not part of our bounty program.)
Bugs within the mobile iOS and Android sync clients
Bugs within the desktop sync clients for Mac, Windows, and Linux
A bug is for us something that actively allows an attacker to escalate their privileges. Something like "Attacker can delete arbitrary files of other users" is fine, "Missing X-Frame-Options on the download servers" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)
Found a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our threat model before.
Found a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.
We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.
Rewards
Our rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:
Impact   Definition   Highest possible reward
Critical   Gaining remote code execution on the server as a non-admin user. (i.e. RCE)   $10,000
High   Gaining access to complete user data of any other user. (i.e. Auth Bypass)   $4,000
Medium   Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass)   $1,500
Low   Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.   $500
Last updated on August 3, 2021.
View changes
Looking for what's in scope? Check out the new Scope tab above.

7
Bug bounty programs / NBX Bug Bounty
« on: September 20, 2023, 07:13:59 PM »
submit bug report: https://nbxsupport.zendesk.com/hc/en-us/articles/360044264592-NBX-Responsible-Disclosure-Policy

Responsible Disclosure Policy
3 years ago Updated
Information intended for security researchers interested in reporting security vulnerabilities to the NBX security team may see our NBX Responsible Dislosure Policy.

If you are a customer and have a question about security or a password or account issue, please see our Knowledge Base articles or feel free to contact us by opening a support ticket.

8
Bug bounty programs / Myob Bug Bounty
« on: September 20, 2023, 07:03:16 PM »
submit bug report: https://www.myob.com/au/legal/report-security-vulnerability


Belkin International places a high value on security of its networking products. For many people, their home Wi-Fi router is the only barrier between their home network and a multitude of hostile internet threats intent on taking over their devices.



To protect our user’s privacy and security, Belkin is happy to accept all vulnerability reports that adhere to our coordinated vulnerability disclosure guidelines.

IN SCOPE
Belkin routers, range extenders, keyboards, and other networked devices
Linksys routers, range extenders, Wi-Fi dongles, switches, and other networked devices
WeMo home automation switches, light bulbs, cameras, and other networked devices
NOT IN SCOPE
Any services or systems that are hosted by third party providers or Belkin International owned property, services be it physical or intellectual. This includes and is may not only limited to:



Belkin.com, Linksys.com, and WeMo.com web endpoints
WeMo Cloud
Linksys Smart Wi-Fi web and cloud endpoints
Social Engineering and Phishing attacks against Belkin employees, contractors, customers, or support

9
Bug bounty programs / Belkin Bug Bounty
« on: September 20, 2023, 07:00:27 PM »
submit bug report: https://www.belkin.com/security-page.html


Belkin International places a high value on security of its networking products. For many people, their home Wi-Fi router is the only barrier between their home network and a multitude of hostile internet threats intent on taking over their devices.



To protect our user’s privacy and security, Belkin is happy to accept all vulnerability reports that adhere to our coordinated vulnerability disclosure guidelines.

IN SCOPE
Belkin routers, range extenders, keyboards, and other networked devices
Linksys routers, range extenders, Wi-Fi dongles, switches, and other networked devices
WeMo home automation switches, light bulbs, cameras, and other networked devices
NOT IN SCOPE
Any services or systems that are hosted by third party providers or Belkin International owned property, services be it physical or intellectual. This includes and is may not only limited to:



Belkin.com, Linksys.com, and WeMo.com web endpoints
WeMo Cloud
Linksys Smart Wi-Fi web and cloud endpoints
Social Engineering and Phishing attacks against Belkin employees, contractors, customers, or support

10
Bug bounty programs / Legal Bug Bounty
« on: September 20, 2023, 06:59:12 PM »
submit bug report: https://www.lego.com/en-nl/legal/notices-and-policies/responsible-disclosure-policy/?locale=en-nl


Responsible Disclosure Policy
If you believe you have found a security vulnerability in a LEGO® product, please tell us about it.

If you are looking to report a non-security related issue, please use the links below for assistance.

– LEGO® Account. Self-service on https://identity.LEGO.com
– Shop@home, VIP and other problems https://www.LEGO.com/service
– Consumer Service https://www.LEGO.com/service
– Privacy Issues. Contact our privacy officer as described on https://www.LEGO.com/legal/legal-notice/privacy-policy

How to report a security vulnerability to us
If you believe you have found a security vulnerability in one of our web sites or apps, we encourage you to let us know right away. We welcome reports from everyone, including developers, researchers and customers.
To report a security vulnerability, please contact us here and include the following information:

– A URL or an IP address, where you found the issue. When did you find it.
– A description of the issue, including what you saw and what you expected to see.

– A list of steps to reproduce the issue, or a video demonstration if it’s a complicated issue.

How the LEGO Group handles vulnerability disclosure
The LEGO Group will send you an automatic reply to let you know that we received your report, and we’ll contact you if we need more information.

Please note that we do not offer a bug bounty program. This means that the LEGO Group does not pay rewards for disclosed security vulnerabilities.

To protect our customers, we investigate all reported issues, but we do not confirm them publicly.

What we ask of you
• You make a good faith effort to avoid any legal and privacy violations, disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You do not violate any other applicable laws or regulations.

11
Bug bounty programs / Kayak Bug Bounty
« on: September 20, 2023, 06:57:48 PM »
submit bug report: https://www.kayak.co.in/security

We are committed to ensuring the privacy and safety of our users. If you think that you have discovered a security vulnerability on our web site or within our mobile apps, we appreciate your help in disclosing the issue to us. Please do this responsibly by giving us the opportunity to investigate and fix the vulnerability in a timely fashion before publicly disclosing it. Security vulnerability reports will be treated as high priority. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy.

Please provide the following details to help us address and resolve your findings:

Describe the vulnerability (e.g., XSS on hotel results page) you have discovered and if possible, share instructions to help us reproduce it.
Tell us about your environment (e.g., browser product and version, operating system, mobile app platform, app version, device model).
If possible, attach a screenshot.
Send all information to [email protected].
Exceptions from this Policy
General questions related to KAYAK are handled by our Customer Support team – for questions, comments or feedback, click here.

12
Bug bounty programs / Ian Dunn Bug Bounty
« on: September 20, 2023, 06:56:30 PM »
submit bug report: https://hackerone.com/iandunn-projects?type=team

Scope
I'm a developer, so I'm mostly interested in source code bugs, rather than network intrusions. Reports must meet these criteria to be accepted:
It must show tangible/practical security implications. Theoretical scenarios and missing best practices aren't worth the time.
It must include a PoC with complete steps to reproduce.
It must have a medium or higher severity; low severity issues just aren't worth the time (unless they can be chained together to create a higher severity vulnerability).
It must not be mentioned in the Scope Exclusions section.
Reports that don't meet those criteria will be marked as Not Applicable.
Top Targets
Compassionate Comments
Regolith
Quick Navigation Interface
There are more targets listed in the In Scope section below.
Bounties
Severity   Award
High   $100 - $400
Medium   $25-50
Low   $0
Severity is based on CVSS 3, but may be adjusted up or down at my discretion. For example, a vulnerability in a plugin with 10,000 active installations may be higher than a vulnerability in a plugin with 100 active installations.
Scope Exclusions / Common Invalid Reports
My personal website is not in scope. It's not important, and the constant pentesting is annoying.
Common false reports listed on WordPress' Reporting Security Vulnerabilities page. I don't consider usernames sensitive enough to be information disclosure.
Brute force, DoS (including XML-RPC and load-scripts.php), phishing, text injection, or social engineering attacks.
Output from automated scans - please manually verify issues and include a valid proof of concept.
Clickjacking with minimal security implications
Lack of HTTP/MX security headers (CSP, X-XSS, SPF, DMARC, DKIM, etc.)
Mixed content warnings for passive assets like images and videos
Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.
Rare or low-severity edge cases: Like regular bugs, not all security bugs are worth fixing. Some edge cases may be closed as Informative. For example, CEMI attacks using standard trigger characters (like #151516) are welcome, but characters that only work in Excel, or only in old versions of software, etc are not accepted (see #124223).
Invalid reports will be disclosed in order to help other researchers and programs learn from them.

13
Bug bounty programs / Grofers Bug Bounty
« on: September 20, 2023, 06:55:07 PM »
submit bug report: https://blinkit.com/security

Help keep Blinkit safe for the community by disclosing security issues to us
We take security seriously at Blinkit. If you are a security researcher or expert, and believe you’ve identified security-related issues with Blinkit's website or apps, we would appreciate you disclosing it to us responsibly.

Our team is committed to addressing all security issues in a responsible and timely manner, and ask the security community to give us the opportunity to do so before disclosing them publicly. Please submit a bug to us on our HackerOne page, along with a detailed description of the issue and steps to reproduce it, if any. We trust the security community to make every effort to protect our users data and privacy.

For a list of researchers who have helped us address security issues, please visit our HackerOne page.

Submit the bugs to us on our HackerOne page, along with a detailed description of the issue and steps to reproduce it.

14
Bug bounty programs / GoCd Bug Bounty
« on: September 20, 2023, 06:54:10 PM »
submit bug report: https://github.com/gocd/gocd

Note: There is no bounty program or swag in place for this.
No technology is perfect, and GoCD believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
In scope
Your own GoCD installation
SQL injection
Remote code execution
Cross-site scripting
Cross-site request forgery
Directory Traversal
Information Disclosure
Privilege escalation
Other things that would obviously leave user data vulnerable
Out of scope
Public websites (https://*.gocd.org)
Submitting test data to our public websites (https://*.gocd.org/*)
GoCD instances of third parties
Denial of service
Spamming
Social engineering (including phishing) of GoCD staff or contractors
Any physical attempts against GoCD property or data centers
NOTE: PLEASE do not report clickjacking on www.gocd.org. It's hosted by GitHub Pages and we have no control over it, to change X-FRAME-OPTIONS.
Thank you for helping keep GoCD and our users safe!
NOTE
We have experimental/nightly releases on our website at
https://www.gocd.org/download/?experimental=true
We recommend using these while testing to avoid reporting duplicates.

15
Bug bounty programs / GeoTab Bug Bounty
« on: September 20, 2023, 06:53:24 PM »
submit bug report: https://www.geotab.com/security/

Geotab’s security policy
Geotab takes a rigorous approach to information security following the principle of continuous improvement. To protect ourselves, our customers and partners, Geotab is constantly reviewing, improving and validating our security mechanisms and processes to ensure our systems remain resilient to intrusion and disaster. Geotab also collaborates with leading stakeholders to advance security across the industry. As we grow, more industries, fleets and customers will benefit from Geotab’s uncompromising stance on information security.

Compliance
Geotab demonstrates our commitment to information security and data protection through validation of our system and processes. Compliance certifications and authorizations:

•ISO/IEC 27001:2013 Information Security Management System

•FedRAMP Authorized for Geotab cloud-based telematics platform

•FIPS 140-2 validation for the Geotab GO device cryptographic library

•Cyber Essentials Certificate

Cybersecurity
Cybersecurity is an essential part of your business, now more than ever. Learn data security best practices for executives. Get information on cybersecurity notifications and standards to help mitigate cyber risk.


Customer data privacy
Geotab provides its customers with an industry-leading, open platform fleet management solution for collecting and analyzing vehicle and fleet data. With Geotab, customers have power and control over their own data. Although the Geotab platform does not require personal data, nevertheless, some customers may choose to include personal data (also called personally identifiable information or PII), such as driver-specific data, to help achieve additional business goals.

Maintaining the privacy of customers’ data is an important priority of Geotab’s data management activities. As a data processor, Geotab implements and maintains technical and organizational measures designed to keep customer data secure and private. Individual customer data is processed according to the customer’s instructions and chosen settings that enable the proper functioning of the solution and its ongoing improvement. Geotab has carefully controlled and audited access to personal data in a customers’ database in the event that the customer needs support on their data for safety or troubleshooting.

Vulnerability responsible disclosure
Geotab takes security and transparency very seriously and we appreciate the ongoing efforts of Individuals or entities who study security and/or security vulnerabilities. To better serve security researchers, Geotab has developed a program to make it easier to report vulnerabilities and to recognize those researchers for their effort to make the Internet a safer place. This policy provides Geotab’s guidelines for reporting vulnerabilities to Geotab.

If you believe you have found a security vulnerability that could impact Geotab or our customers, we encourage you to let us know right away. We will investigate all legitimate reports and do what is required to fix the problem as soon as possible. We ask that all researchers follow our Vulnerability Disclosure Policy and make a good faith effort to avoid privacy violations, destruction of data and interruption of services during your research.

Pages: [1] 2 3 ... 24