follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit



Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Angelina

Pages: 1 [2] 3 4 ... 24
16
Bug bounty programs / Garmin Bug Bounty
« on: September 20, 2023, 06:51:25 PM »
submit bug report: https://www.garmin.com/en-US/legal/security/

Keeping Data Safe at Garmin
Garmin aims to keep its products, apps and websites safe for everyone, and data security is very important to us. To that end, here’s some information about the measures Garmin takes to secure data.

Garmin’s Responsible Disclosure Policy
Data security is a priority at Garmin. If you are a security researcher or Garmin customer and think you’ve found a security issue or vulnerability, we appreciate your help in disclosing it to us in a responsible manner. Please don’t access or modify data without permission, and act in good faith not to degrade the performance of our products, apps and websites.

If you believe you have discovered a vulnerability or have a security incident to report, let us know. Please include a detailed description of the possible vulnerability and an email address where we can reach you in case we need more information.

We appreciate your help in making Garmin products, apps and websites secure. We'd also like to thank all those who have already reported security issues.

REPORT A SECURITY ISSUE
View, Export or Delete Your Data
View the information Garmin maintains about your account, registered devices, mobile apps and more. You can request a copy of it or ask us to delete it.

MANAGE YOUR DATA
Get Help with a Product
Our product experts can help you get back on track with relevant answers and solutions.

VISIT SUPPORT CENTER
Frequently Asked Questions about Garmin Security
What does Garmin do to try to prevent and resolve security issues?
Garmin has dedicated security personnel who are armed with an array of security tools that protect and monitor for threats 24/7. Security personnel work closely with teams throughout Garmin in an effort to keep products, apps and websites safe. Members of the Garmin team are also continually keeping our servers up to date with security patches and operating system updates.

How is my personal data protected?
Garmin uses a variety of safeguards, personnel and processes that form defense in depth barriers to protect your data.. Garmin continuously evaluates our security posture to further enhance the security of your data.

What access do third parties have to my personal data?
Please review our Privacy Statement to read about the ways your personal data may be shared with third parties.

17
Bug bounty programs / Trellix Bug Bounty
« on: September 20, 2023, 06:50:16 PM »
submit bug report: https://supportm.trellix.com/webcenter/portal/supportportal/pages_home


Knowledge
Center
Explore the knowledge center for content related to your product.


Updates &
Downloads
Obtain product updates, hotfixes and downloads and manage product licensing.


Support
Tools
Run WebMER or other diagnostic tools to help solve problems.

Additional Product & Support Resources
Support Community
Product Downloads
Product Documentation
Product End of Life (EOL)
   

Log In
Register
Announcements
   Submit a Sample is currently unavailable.
 
(9/14/2023)
Submit a Sample is currently unavailable. Our IT team is aware of the issue and they are working to resolve it. We apologize for any inconvenience.

   Trellix EDR logon domain name change to trellix.com
 
   Trellix Rebranding of Enterprise Product Names
 
   End of Life for the Trellix Enterprise Support mobile app
 
   The URL to access Cloud Services changed on January 17th
 
   Skyhigh Security Product Documentation
 

Featured Products:
Endpoint Security
System Requirements:
Windows Linux Mac OS
Resources:
FAQs
Product Downloads, Hotfixes and Updates
Endpoint Security Community
Support Notification Service
ePolicy Orchestrator
System Requirements:
ePO 5.x
Resources:
FAQs
Product Downloads, Hotfixes and Updates
ePolicy Orchestrator Community
Support Notification Service
SIEM Enterprise Security Manager
System Requirements:
ESM 11.x.x, 10.x.x
Resources:
Product Downloads, Hotfixes and Updates
SIEM Community
Support Notification Service
Data Loss Prevention Endpoint
System Requirements:
DLP 11.x
Resources:
Product Downloads, Hotfixes and Updates
Data Loss Prevention Endpoint Community
Support Notification Service
Application Control
System Requirements:
MACC 8.x, 7.x and 6.x
Additional Resources:
Product Downloads, Hotfixes and Updates
Application Control Community
Support Notification Service
Advanced Threat Defense
System Requirements:
ATD 4.x
Additional Resources:
Product Downloads, Hotfixes and Updates
Advanced Threat Defense Community
Support Notification Service
Threat Intelligence Exchange
System Requirements:
TIE 3.x and 2.x
Resources:
Product Downloads, Hotfixes and Updates
Threat Intelligence Exchange Community
Support Notification Service

18
Bug bounty programs / Firebase Bug Bounty
« on: September 20, 2023, 06:49:16 PM »
submit bug report: https://firebase.google.com/support

Pick a category

Bugs and Features
File Bug Reports and Feature Requests here.

Accounts & projects
Trouble accessing an account or project

Billing
I have a billing question

Push Notification issues
Firebase Cloud Messaging

Analytics help
Google Analytics for Firebase

Database issues
Cloud Firestore or Realtime Database issues

Information
View the Firebase ToS, FAQ, & other information

Pick a different product
My issue is with a specific Firebase product.

GCP support
I have a GCP support plan.

Report spam, malware, or phishing
I would like to report spam, malware, or phishing

19
Bug bounty programs / Files Bug Bounty
« on: September 20, 2023, 06:47:29 PM »
submit bug report: https://www.files.com/

Here at Files.com, we celebrate security and we encourage independent security researchers to help us keep our products secure.
We offer a Security Bug Bounty Program (the "Program") to create an incentive and reward structure so that researchers are able to devote resources to working on Files.com.
We will pay $100 to $10,000, at our discretion, to any researcher who discovers a significant security vulnerability in Files.com. We pay quickly and fairly, every time, as long as you follow our rules.
If you've found a vulnerability or would like to perform security research against Files.com, please read through the rules below.
NOTE: Testing is only authorized on the targets listed as In-Scope. Any domain/property of Files.com or Action Verb LLC (the owner and operator of Files.com) not listed in the targets section is out of scope. This includes any/all subdomains not listed in the In-Scope section.
Reports We Are Looking For
We want to know about anything about our platform that poses a significant security vulnerability to either us or our customers.
These can include:
Privilege Escalation
Authentication Bypass
Leakage of Sensitive Data
Remote Code Execution
SQL Injection
Cross-Site Request Forgery (XSRF)
Cross-Site Scripting (XSS)
Code Injection
... and more!
On the marketing site asset (https://www.files.com) we are looking for vulnerabilities that lead to a vulnerability on the actual *.files.com platform.
Bug Bounty Program Requirements
To participate in our program, you must create trial account on our platform by navigating to Files.com.com and clicking the button to start a Free Trial. That Trial sign up process will create the 'your-assigned-subdomain.files.com' URL to be used for testing.
VERY IMPORTANT: Your account must include the phrase "[BUGBOUNTY]" in the "Company Name" used when registering. (Without the quotes, no space between the two words, but with square brackets.)
Here is an example of the values to use in the Trial sign up form:
Company name: [BUGBOUNTY] Trial Company
Phone Number: 555-555-5555
Work email: [email protected]
Password: Pa55w0rd
Absolutely do not under any circumstances input payment card information (credit card or debit card) or make a payment unless you intend to pay the charge in full. If you properly tag your account as a [BUGBOUNTY] site by following the directions above, we will not prompt you for payment during your testing period.
Failure to abide by the above will result in your full disqualification from this program.
Additional Rules:
Do not create more than four trial accounts within a 60-day period for the purpose of conducting security research against our platform.
Do not attempt to gain access to another user's account or data.
Do not impact other users with your testing.
Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Do not publicly disclose a bug either before or after it has been fixed. Public disclosure means disclosure to anyone, even on private "Hacker" websites and forums.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not upload information about the vulnerability to any site you do not directly own. This includes uploading videos to YouTube, Vimeo, etc, even if marked private.
Any scanners or automated tools used to find vulnerabilities need to be rate limited.
Decisions made by us regarding the eligibility of submissions are final. Do not write back to dispute a decision.
You are expected to be 100% professional and pleasant to work with via E-Mail.
Reports That Do Not Qualify
The following types of reports do not qualify and will not pay a bounty.
Anything related to billing, pricing, ability to get "free" service, ability to not be charged for certain types of usage, etc. Our billing is all manually reviewed and none of these things are a problem in practice.
Reports related to actual authenticated Site Admins being able use their position as Site Admin to attack other users by using sitewide administration features.
Vulnerabilities that only affect outdated or unpatched browser/plugin versions.
Vulnerabilities requiring exceedingly unlikely user interaction.
Vulnerabilities, such as timing attacks, that prove the existence of a user or site.
Vulnerabilities requiring social or physical attacks.
Reports related to denial of service attacks or DNSsec.
Insecure cookie settings for non-sensitive cookies.
Reports related to HTTP Digest authentication being better than HTTP Basic (it isn't)
Reports related to password strength requirements
Disclosure of public information and information that does not present significant risk.
Vulnerabilities that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
Scripting or other automation and brute forcing of intended functionality.
Issues that we can't understand or reproduce.
Vulnerabilities that involve running local code to modify or manipulate the desktop application on Windows or Mac.
Reports related to the Quarantine feature on Mac.
Commonly False Positive Reports
Files.com is an FTP, SFTP, and WebDAV hosting service. Obviously this means that we will have an open FTP server on port 21, SFTP on port 22, and it means that our servers respond to DAV verbs.
EXIF Geolocation data not being stripped. Files.com does not alter uploaded content in any way. Users are free to upload and share content any way they want.
Files.com offers the ability to make a folder publicly hosted at https://subdomain.hosted-by-files.com/folder_name/. This hosting mode is intended to be full-featured web hosting just like any other web hosting provider, meaning that the ability to serve full websites with Javascript is intended. This means that you can upload malicious Javascript to that folder and have it be served. That's intentional. In order for an XSS attack related to public hosting to be in scope, it needs to relate to one Files.com customer attacking another customer, rather than attacking itself.
Important Terms
We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.
If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.
You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.
To Report a Vulnerability
To report a vulnerability, first re-read this entire page to be sure that you understand the terms. We may refuse to pay bounties if you violate the terms on this page, even if we act on the submission.
We will respond as quickly as possible to your submission.

20
Bug bounty programs / Silverstreet Bug Bounty
« on: July 31, 2023, 06:03:35 PM »
submit bug report: https://www.silverstreet.com/

You create the message
we handle the delivery
Connect with anybody, anytime, anywhere. We offer programmable SMS, AI Messaging, 2FA, and Omnichannel communication platforms for you as tools to boost your business. Integrate with our easy-to-use API and benefit from our 24/7 support and global network coverage.


Twizo Communicate
Customise your campaign with a few clicks.


Twizo Authenticate
Protect your customer data with Two Factors Authentication.


SMS
Send SMS in large quantities through the highest quality routes in a fast, scalable and cost effective way.


Number Lookup
Check the operator before sending to perform a better cost effective campaign.

 
Number Lookup
Mobile Number Portability (MNP) is now a worry of the past.

Protect your service and your customers by preventing fraud and security breaches through the use of Number Lookup.

LEARN MORE
 
Twizo Authenticate
Security Authentication - Quick Integration, Many Solutions.

Twizo makes online security simple through easy integration and a variety of authentication solutions. We serve customers globally allowing them to scale their businesses while we worry about their security.

LEARN MORE
 
Twizo Communicate
Seamlessly navigate through our services.

Our cloud based mobile communicator provides you with access to all of our features to manage your campaign, engage with your customers and track the results of your efforts.

LEARN MORE
 
SMS
A powerful way to communicate with your customers on a global scale.

Our API enables you to send SMS in large quantities through the highest quality routes in a fast, scalable and cost effective way. A powerful tool to communicate with your customers across the globe.

LEARN MORE
 
Number Lookup

21
Bug bounty programs / SEEK Bug Bounty
« on: July 31, 2023, 05:51:12 PM »
submit bug report: https://bugcrowd.com/seek

For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).

Thank you for participating!

A Few Important Requirements for SEEK:
Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on SEEK assets.
All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing SEEK applications.
Customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
Ratings/Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.

To maximize your reward and payout time frame, please make sure to include the following in your report:

An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
Triage SLA
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.

22
Bug bounty programs / Robeco Bug Bounty
« on: July 31, 2023, 05:49:42 PM »
submit bug report: https://www.robeco.com/en-int/responsible-disclosure

Working on system security
Every day, specialists at Robeco are busy improving the systems and processes. This helps to protect the details of our clients against misuse and also ensures the continuity of our services. However, this does not mean that our systems are immune to problems. If problems are detected, we would like your help.

What can we expect from one another?
Report any problems about the security of the services Robeco provides via the internet. If you discover a problem or weak spot, then please report it to us as quickly as possible. Examples of vulnerabilities that need reporting are:

cross-site scripting vulnerabilities
SQL-injection vulnerabilities
encryption weaknesses
What do we expect from you?
Ensure that you do not cause any damage while the detected vulnerability is being investigated. Your investigation must not in any event lead to an interruption of services or lead to any details being made public of either the asset manager or its clients.

What do we do with your report?
A team of security experts investigates your report and responds as quickly as possible. We ask you not to make the problem public, but to share it with one of our experts. Give them the time to solve the problem. We will let you know what our assessment of your report is, whether we will provide a solution and when we plan to do that.

Rules of the game
There is a risk that certain actions during an investigation could be punishable. If you act in good faith, carefully and in line with the rules of the game supplied, there is no reason for Robeco to report you. So follow the rules as stated in these responsible disclosure guidelines and do not act disproportionately:

Do not use social engineering to gain access to a system.
Do not place a backdoor in an information system in order to then demonstrate the vulnerability, as this can lead to further damage and involves unnecessary security risks.
Make as little use as possible of a vulnerability. Only perform actions that are essential to establishing the vulnerability.
Do not edit or delete any data from the system and be as cautious as possible when copying data (if one record is enough to demonstrate the problem, then do not proceed further).
Do not introduce any system changes.
Do not try to repeatedly access the system and do not share the access obtained with others.
Do not use any so-called 'brute force' to gain access to systems. After all, that is not really about vulnerability but about repeatedly trying passwords.
How should you submit a report?
If you have detected a vulnerability, then please contact us using the form below.

What does not need to be reported via the disclosure point?
The disclosure point is not intended for:

submitting complaints about services
making fraud reports and/or suspicions of fraud reports from false mail or phishing e- mails
reporting viruses
submitting complaints or questions about the availability of the website

23
Bug bounty programs / ResMed Bug Bounty
« on: July 31, 2023, 05:48:12 PM »
submit bug report: https://www.resmed.com/en-us/security/

Our security
ResMed, a global leader in digital health, is dedicated to proactively solving the complex challenges of information security, strengthening our defenses against threats and mitigating risks. We’ve built our processes and protocols from best practices in order to maintain confidentiality and data integrity for the business, our employees, our partners and our patients. Below are a sample of the controls we utilize across ResMed and subsidiary companies:

 

Layers   Threats   Defenses
Physical   Physical intrusion, social engineering   Badged access, data center controls, training, assessments
Cloud   Data loss, misconfiguration   Data loss prevention (DLP), configuration monitor, security information and event management (SIEM), web application firewall
Network   Hacking, denial of service (DOS)   IDS/IPS firewalls, Strict ACLs virtual private network (VPN), app security, SIEM
Platform   Phishing, malware, hacking   Employee training, phishing campaigns, URL filtering, security ops center, email security
PCs and mobile devices   Malware, ransomware, hacking, device loss   Traditional and next-generation anti-virus, device encryption, asset management
Application   SQL injection, man-in-the-middle, software vulnerability, hacking   Penetration testing, coding standards, patching, secure software development life cycle (SDLC)
Data   Unauthorized access   Encryption, IDS/IPS firewalls, backup/recovery, VPN, Multi-factor authentication (MFA)
Response   Security event, breach, data corruption or loss, system loss   SIEM incident response, dedicated security team, third-party support
Security news
Okta Breach

ResMed is aware of the LAPSUS$ attack on Okta and are assured that none of our customer's information has been impacted. This has been confirmed both by our internal teams and by Okta.

Log4j (Log4Shell) Vulnerability

Read about how ResMed is dealing with this threat here: Log4j Security Bulletin

AirBreak

ResMed Statement on the Role of CPAP in Mitigating the Effects of COVID-19

Ripple20 Security Vulnerabilities

On June 16 2020, a set of vulnerabilities in the Treck TCP/IP stack was made public. If exploited these vulnerabilities could interfere with the function of medical devices.

We have examined our devices and have confirmed that some products use the affected components - ResMed Connectivity Module Hospital (RCMH), Astral, and TxLink. The ethernet port is disabled at the time of shipping for RCMH and Astral which prevents access to the TCP/IP stack. The TxLink device is intended for use within private networks under supervised conditions and is considered low risk with respect to Ripple20.

URGENT/11 Security Vulnerabilities

On July 29 2019, the URGENT/11 set of vulnerabilities in Real-Time Operating Systems was made public. If exploited these vulnerabilities could interfere with the function of medical devices, particularly within hospital networks.

We have examined our devices and can confirm that the vulnerable Operating Systems are not in use within our medical devices and that we are not exposed to this set of vulnerabilities.

Recruitment Fraud Alert
It has come to our attention that various individuals and organizations are offering false employment opportunities on behalf of ResMed. Such fraudulent communications may come from various sources, including fake websites and/ or unsolicited emails. These communications seek to obtain personal data and payment from victims by offering jobs at ResMed that do not exist.

Please be advised ResMed would never ask for payment to progress a job application. When in doubt, please check to see if the position is posted on our website careers.resmed.com before applying.

Additionally, please report any suspicious recruiting activity to complaint.ic3.gov.

ResMed Responsible Disclosure Program
Response targets

ResMed will make a best effort to meet the following SLAs for hackers participating in our program:

Type of response   SLA in business days
First response   5 days
Time to triage   10 days
Time to resolution   depends on severity and complexity
 
We’ll try to keep you informed about our progress throughout the process.

Disclosure policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
 

Program rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Physical attacks are prohibited.
Disclosing any client or patient information is prohibited.
Disclosing the vulnerability publicly in any way before ResMed provides permission is prohibited.
Testing on third party vendors is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
 

Out-of-scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Highly speculative/theoretical vulnerabilities or previously known vulnerable libraries without a working proof of concept
Best practice suggestions that are not vulnerabilities (i.e. missing HTTP Only or Secure flags, SSL/TLS configuration, etc.)
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Credential re-use from public dumps
Automated scan reports or search engine results (i.e., Shodan, SSL Labs, Etc.) without valid proof of concept
Vulnerabilities only affecting users of outdated or unpatched browsers [fewer than two stable versions behind the latest released stable version]
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Software version disclosure/banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
 

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep ResMed and our users safe!

24
Bug bounty programs / Relaso Bug Bounty
« on: July 31, 2023, 05:46:22 PM »
submit bug report: https://www.relaso.com/disclosure/

Vulnerability Reporting Policy
The Relaso.com security team acknowledges the valuable role that independent security researchers play in Internet security. Keeping our customers’ data secure is our number-one priority, and we encourage responsible reporting of any vulnerabilities that may be found in our site or application. Relaso.com is committed to working with the security community to verify and respond to any potential vulnerabilities that are reported to us. Additionally, Relaso.com pledges not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.


Testing for security vulnerabilities
Conduct all vulnerability testing against Trial or Developer Edition organizations (instances) of our online services to minimize the risk to our customers’ data.


Reporting a potential security vulnerability
Privately share details of the suspected vulnerability with Relaso.com by sending an email to [email protected]
Provide full details of the suspected vulnerability so the Relaso.com security team may validate and reproduce the issue


Relaso.com does not permit the following types of security research
Causing, or attempting to cause, a Denial of Service (DoS) condition
Accessing, or attempting to access, data or information that does not belong to you
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you


The Relaso.com security team commitment
To all security researchers who follow this Relaso.com Vulnerability Reporting Policy, the Relaso.com security team commits to the following:

To respond in a timely manner, acknowledging receipt of your report

To provide an estimated time frame for addressing the vulnerability
To notify the reporting individual when the vulnerability has been fixed


No compensation
Relaso.com does not compensate people for reporting a security vulnerability, and any requests for such compensation will be considered a violation of the conditions above. In such an event, Relaso.com reserves all of its legal rights.

25
Bug bounty programs / Philips Bug Bounty
« on: July 31, 2023, 05:43:49 PM »
submit bug report: https://www.philips.com/a-w/security/coordinated-vulnerability-disclosure.html

Philips is committed to ensuring the safety and security of patients, operators and customers who use our products and services. Philips maintains a global network of product security officers for developing and deploying advanced best practice security and privacy features for our products and services, as well as for managing security events.

 

 

Philips operates under a global product security policy, which guides our incident management and all risk assessment activities relating to potential security and potential privacy vulnerabilities identified in our products and services. Philips supports coordinated vulnerability disclosure, and encourages vulnerability testing by security researchers and by customers, with responsible reporting to Philips. To this end, Philips maintains a product security page with information on coordinated vulnerability disclosure at www.philips.com/security.

When submitting reports of vulnerability findings, please ensure the following procedures are followed, for safe and efficient support.

Our PGP public key (2.0KB)
 
Reporting Procedure

1. Please use our PGP public key to encrypt any email submissions to us at [email protected].
2. Please provide us with your reference/advisory number and sufficient contact information, such as your organization and contact name so that we can get in touch with you.
3. Please provide a technical description of the concern or vulnerability.
        a) Please provide information on which specific product you tested, including product name and version number; the technical infrastructure tested, including operating system and version; and any relevant additional information, such as network configuration details.
        b) For web based services, please provide the date and time of testing, URLs, the browser type and version, as well as the input provided to the application.
4. To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations. If you wrote specific proof- of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
5. If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information also PGP-encrypted.
6. If you communicate vulnerability information to vulnerability coordinators such as ICS-CERT, CERT/CC, NCSC or other parties, please advise us and provide their tracking number, if one has been made available.
7. When possible provide the report in English to expedite the process.

26
Bug bounty programs / Panzura Bug Bounty
« on: July 31, 2023, 05:42:51 PM »
submit bug report: https://panzura.com/

Panzura lets you put your data to work.
HOW IT BENEFITS YOU

Create comprehensive workloads in any public cloud without sacrificing security or egressing data.
Leverage actionable intelligence to increase time-to-value from internal data.
Simplify complex processes using our efficient, highly-secure single platform.
Eliminate duplicated data & locate missing files in seconds.

27
Bug bounty programs / Panasonic Bug Bounty
« on: July 31, 2023, 05:41:09 PM »
submit bug report: https://holdings.panasonic/global/corporate/product-security/psirt/policy.html

Panasonic Product Security Incident Response Team
PSIRT
Please read the information below concerning Panasonic's policy on personal information practices on the website, and indicate your consent by clicking the "I agree; go to the next page" button. This will take you to Inquiry Form.
Note: You cannot proceed to Inquiry Form if you do not indicate your consent to the contents below. Thank you for your understanding.

[Personal Information Practices on the Website]

(1) Company name and personal information protection manager
Panasonic Corporation Panasonic PSIRT

(2) Purposes of use of personal information
Personal information entered and obtained will be used as follows:
To solve the vulnerabilities and record them

(3) Provision of personal information
In some cases we will provide personal information we have obtained, such as a customer's name and contact information, to an affiliate of the Panasonic Group, by paper or electronic medium, when we have determined that it is appropriate for the affiliate of the Company Group to respond to a product inquiry. In such cases, customers are able to request that the Company stop providing their personal information to group companies.

(4) Consignment of personal information management
In some cases we will consign all or part of the management of personal information we have obtained within a necessary scope determined by the purposes described above.

(5) Disclosure of personal information subject to disclosure and call center
Individuals who have provided personal information to Panasonic may request that Panasonic perform any of the following actions in respect to such information that is subject to disclosure.
a) Notify them of the purpose
b) Disclose the content of the information held
c) Revise or make corrections to information
d) Add new information
e) Remove information no longer relevant
f) Terminate the usage of personal information held
g) Dispose of all personal information held
h) Terminate the provision of personal information to third parties
For requests concerning any of the above actions, please contact us via inquiry form.
Panasonic Corporation Panasonic PSIRT

(6) Notes on entering personal information
In some cases, we will contact individuals by e-mail or telephone. Please note that if you do not enter your telephone number or e-mail address we may be unable to contact you.

(7) Acquisition of personal information by means that cannot identify individuals easily
We do not obtain personal information using means such as cookies or Web beacons by which individuals cannot be easily identified.

(8) Bug Bounties
Panasonic Corporation does not run a bug bounty program for its products.

(9) Vulnerability Coordination Policy / Vulnerability Disclosure Policy
Panasonic PSIRT will handle reported vulnerabilities in accordance with this policy.

(10) CVE Numbering Authority (CNA)
As of December 1, 2021, Panasonic PSIRT has become a CVE Numbering Authority (CNA). As a CNA, Panasonic PSIRT will assign CVE ID to vulnerabilities found in Panasonic products. For Panasonic products reported with vulnerabilities, we will assign CVE IDs and disclose them in a timely manner to protect the security and safety of our products and customers.

28
Bug bounty programs / OLA Bug Bounty
« on: July 31, 2023, 05:39:54 PM »
submit bug report: https://whitehat.olacabs.com/

Bug Bounty Program Information
The Ola Bug Bounty Program ("Program") is designed to encourage security researchers to find security vulnerabilities in Ola's software and to recognize those who help us create a safe and secure product for our customers and partners. The Program is operated and facilitated by ANI Technologies Private Limited and its affiliates (together "Ola").

If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible.We will investigate the submission and if found valid, take necessary corrective measures. We may request you for additional information regarding the vulnerability(ies), for which you will cooperate in providing. We request you to review our bug bounty policy as mentioned below along with the reporting guidelines, before you report a security issue. By submitting any information to us, you agree to be bound by these terms and conditions ("T&Cs").

To show our appreciation for the security researchers,we offer a monetary reward/ goodies for all valid security issues based on the severity impact and complexity of the same, the individual will also be given a honourable mention in our Hall of Fame.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your Ola account / complaints, please reach out to customer support

Reporting security issues
Go to the Report a Vulnerability page to report security issues related to our applications.

Rewards
We offer monetary rewards for security issues which meet the following criteria:

The minimum monetary reward for eligible bugs is 1000 INR. All reward amounts, once communicated by Ola, are non-negotiable.
We may reward only with awesome goodies depending on the severity of the vulnerability.
Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honored on the Hall of Fame page.
Rewards are decided based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola Bug Bounty panel.
* All the monetary rewards mentioned on this page are in Indian Rupees (INR).

Responsible disclosure & reporting guidelines
You are bound by utmost confidentiality with Ola. You will not publicly or otherwise disclose any information regarding a bug or security incident without Ola’s prior approval.
Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
You will not access any data/internal resources of Ola as well as the data of our customers without prior approval from the Ola security team.
You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Responsibility at our end
We will be fast and will try to get back to you as soon as possible.
We will keep you updated as we work to fix the bug you have submitted.
The Hall of Fame will be updated only once the vulnerability has been fixed.
Targets in scope
*.olacabs.com
*.olamoney.com
*.ola.foundation
*.olaelectric.in
*.mission-electric.in
*.ola.institute
Ola Cabs mobile app ( Android | iOS )
Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
Ola Money mobile app ( Android | iOS )
Ola Operator mobile app ( Android )
Ola Partner mobile app ( Android | iOS)
Out of Scope Targets
All the sandbox and staging environments are out scope.
All external services/software which are not managed or controlled by Ola are considered as out of scope / ineligible for recognition.
Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.
Eligibility
Prerequisites to qualify for reward or recognition:

Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward or recognition.
Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
This program is applicable only for individuals not for organizations.
Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
In scope vulnerability examples
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.

Example of such bugs are:

Cross-Site Scripting (XSS)
Sql Injection
XML external entity (XXE) injection
Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)
Cross-Site Request Forgery (on sensitive actions)
Broken Authentication / Authorization
Broken Session flaws
Remote Code Execution (RCE)
Privilege Escalation
Business Logical flaws
Payment Related Issues
Misuse/Unauthorized use of our APIs
Open Redirects (which allow stealing secrets/tokens)
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:

Clickjacking
Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
Spamming (e.g. SMS/Email Bombing)
Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
Login - Logout cross-site request forgery
Self XSS
Presence of server/software banner or version information
Stack traces and Error messages which do not reveal any sensitive data
Third party API key disclosures without any impact or which are supposed to be open/public.
OPTIONS / TRACE HTTP methods enabled
Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
Missing Cookie Flags (e.g. HttpOnly, secure etc)
Host Header Injection
Broken Links (e.g. 404 Not Found page)
Known public files or directories disclosure (e.g. robots.txt, css/images etc)
Browser ‘autocomplete’ enabled
HTML / Text Injection
Forced Browsing to non-sensitive information (e.g. help pages)
Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
DNS issues (e.g. Missing CName, SPF records etc.)
End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
Coupon Misuse
Brute force on forms (e.g. Contact us page)
Brute force on “Login with password” page
Account lockout not enforced
CSV injection
Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
Rate limit mechanism bypass
Kiosk mode / Screen pinning bypass
Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
Bypassing root/jailbroken detection
SSL Pinning bypass
Tapjacking
Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Ola’s infrastructure by providing a proper proof of concept
Bug which Ola is already aware of or those already classified as ineligible
Terms and Conditions
By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:

You shall abide by all the applicable laws of the land. Ola will not be responsible for any non-adherence to applicable laws on your part.
You shall not engage in any confidentiality or privacy breaches or violations, destruction, removal or amendment of data (personal or otherwise), or interruption or degradation of our services during your participation in this Program. In case of any breach or violation, Ola reserves the right to ban you from the Program and/ or take legal action.
Eligibility for reward or recognition is at the discretion of Ola.
Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
Threatening of any kind will automatically disqualify you from participating in the program.
All the communications with Ola related to this program are to remain fully confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed. Failure to do so shall constitute a material breach of these T&Cs.
Ola reserves the right to discontinue the responsible disclosure program at any time without notice.
You may only investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
Vulnerabilities which Ola determines as accepted risk will not be eligible for any kind of recognition.
Any solutions, recommendation or suggestions, including any intellectual property contained therein, provided by you to Ola under this Program, shall immediately transfer to Ola without any limitations or exceptions, and once communicated to Ola you waive all rights, title, ownership and interest therein. If requested, you shall provide Ola with appropriate documentation to formalise any such transfer or assignment.
Changes to Program Terms
The Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program T&Cs and/or its policies at any time by posting a revised version on our website. By continuing to participate in the bug bounty program after Ola posts any such changes, you implicitly agree to comply with the updated Program terms

Program Termination
In the event you breach any of these T&Cs or any other Program terms that Ola releases, Ola may immediately terminate your participation in the Program and/or take any further legal actions as necessary. In some cases all your previous contributions may also be invalidated.

Legal points
We shall not issue reward or recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action. Ola does not commit to any compensation other than as outlined in these T&Cs or as communicated to you at the time of your submission. Ola shall not be liable to make any payments or rewards towards you in any other circumstances. Ola shall also not be liable in the event of delayed response to you for any submission.

Testing using Tools
Don't be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Ola bug bounty program.

29
Bug bounty programs / myob Bug Bounty
« on: July 31, 2023, 05:38:14 PM »
submit bug report: https://www.myob.com/au/about/security/report-security-vulnerability

Report Security Vulnerability
MYOB is committed to resolving any issues that may compromise the security of our products and services as quickly as possible. We take security vulnerabilities very seriously and protecting client data is one of our top priorities.

If you have discovered a security vulnerability, we would appreciate if you could keep your findings strictly confidential and disclose the relevant information to us in a responsible manner, as described below.

How to report a security vulnerability?
If you think you’ve found a security vulnerability in MYOB products, services or online platforms, please contact us immediately via email and encrypt your report with our PGP key below:

Email contact: [email protected]

PGP Key: 702A28D9

Fingerprint: 0304 AA70 BFEC 40C8 75F0 BBD4 2A40 D90B 702A 28D9

What to include in the report?
Please provide as much detail as possible. In particular, we would appreciate the following:

An explanation of the security vulnerability
A list of the products and services that may be affected (versions where applicable)
Steps to reproduce the vulnerability
Proof-of-Concept code or software
Test accounts you have created
URLs, IP addresses or infrastructure associated with the vulnerability (if relevant)
Your contact information, such as your organisation and contact name for ongoing communication
Please also advise if you have communicated the vulnerability to CERT or other parties and provide us with any reference numbers.

Rules of engagement
Please do not:

Take advantage of a security vulnerability
Access, delete or modify MYOB or client data
Publicly disclose a vulnerability until it has been resolved
Download more data than necessary to demonstrate a vulnerability
Attempt to break into client accounts
Ask for compensation for your report
Use Social Engineering, Denial of Service or Phishing attacks
Next steps
Please maintain confidentiality and do not make your research public until we have completed our investigation and implemented patches or other mitigations.

The MYOB security team will endeavour to contact you within 72 hours of you reporting the security vulnerability and keep you informed on our progress towards resolving the vulnerability. We will notify you when the security vulnerability has been patched or mitigated, and add your name to our acknowledgments page if it is a valid high or critical vulnerability.

30
Bug bounty programs / Mailchimp Bug Bounty
« on: July 31, 2023, 05:37:05 PM »
submit bug report: https://mailchimp.com/about/security/

As a company that takes data security and privacy very seriously, we recognize that Mailchimp’s information security practices are important to you. While we don’t like to expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.



Data Center Security
Mailchimp delivers billions of emails a month for millions of users. We use multiple MTAs, placed in different world-class data centers around the United States.
Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about.
We have DDOS mitigation in place at all of our data centers.
We have a documented "in case of nuclear attack on a data center" infrastructure continuity plan.


Protection from Data Loss, Corruption
All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other.
Account data is mirrored and regularly backed up off site.


Application Level Security
Mailchimp account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
All login pages (from our website and mobile website) pass data via TLS 1.2 or higher.
The entire Mailchimp application is encrypted with TLS 1.2 or higher.
Login pages and logins via the Mailchimp API have brute force protection.
We perform regular external security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.


Internal IT Security
Mailchimp offices are secured by keycard access and biometrics, and they are monitored with infrared cameras throughout.
Our office network is heavily segmented and centrally monitored.
We have a dedicated internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes OSCP and CISSP certified members.


Internal Protocol and Education
We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
In order to protect our company from a variety of different losses, Mailchimp has established a comprehensive insurance program. Coverage includes, but is not exclusive to: coverage for cyber incidents, data privacy incidents (including regulatory expenses), general error and omission liability coverage, excess cyber liability coverage, property and business interruption coverage, as well as international commercial general liability coverage.


SOC II Compliant PCI DSS Certification
Mailchimp's credit card processing vendor uses security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives, including the Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC). We also perform annual SOC II audits.

We provide our SOC II Report upon request. Please click the ‘Request Report’, and include any additional questions you may have.

Request Report



ISO 27001 Certification
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touchpoint audits (surveillance audits).

Download ISO certification



Protecting Ourselves Against You
Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Mailchimp account, that's not good for either of us.

We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
We monitor accounts and campaign activity for signs of abuse.
In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
We provide the ability to establish tiered-levels of access within accounts.


Investing in Your Privacy
Our Legal team partners with our developers and engineers to make sure our products and features comply with applicable international spam and privacy laws.
We retain a law firm in the UK to consult on EU privacy issues.
We undergo annual verification with a U.S. based third party-outside compliance reviewer under the Privacy Shield verification program, and we have certified our compliance with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks.
We are members of the ANA, ESPC, OTA, and MAAWG.
Our corporate attorneys and Legal Compliance Manager are active members of the International Association of Privacy Professionals (IAPP) and collectively hold the certifications of CIPP/US, CIPP/G, and CIPP/E.


Responsible disclosure program
Mailchimp is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving Mailchimp services.

Responsible disclosure guidelines
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:

Do

Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't

Don’t cause harm to Mailchimp, Intuit, its customers, shareholders, partners or employees.
Don’t engage in any act that may cause an outage or stop any of Mailchimp’s services.
Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
Don’t store, share, compromise or destroy any Mailchimp data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Mailchimp.
Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Out-of-scope vulnerabilities

The following types of vulnerabilities are out of scope for this program:

Phishing
Social engineering
Physical security assessments
Any form of denial of service (DoS) attack


Submission Guidelines
All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.

By following these guidelines and responsibly disclosing any security weaknesses directly to Intuit, we agree not to pursue legal action against you. Mailchimp reserves its legal rights in the event of noncompliance with program guidelines.

Mailchimp will review and promptly acknowledge any submitted issue within three business days of submission through its web form, found here: Responsible Disclosure Form

Pages: 1 [2] 3 4 ... 24