follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit



Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Angelina

Pages: 1 2 [3] 4 5 ... 24
31
Bug bounty programs / KPN Bug Bounty
« on: July 31, 2023, 05:35:15 PM »
submit bug report: https://www.kpn.com/algemeen/missie-en-privacy-statement/beveiligingskwetsbaarheid/beveiligingskwetsbaarheid-melden.htm

Thank you for reporting possible security vulnerabilities in KPN systems and networks. We will contact you personally within 2 working days.
We request that you provide the following information:

A detailed description of the problem
IP addresses, logs and screenshots
Instructions on how to reproduce the incident

32
Bug bounty programs / Indeed Bug Bounty
« on: July 31, 2023, 05:34:07 PM »
submit bug report: https://bugcrowd.com/indeed

Our Mission:
At Indeed, our mission is to help people get jobs.

Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.

Indeed may award an additional reward bonus for exceptional reports. This will be done at Indeed’s discretion. Good luck, and happy hunting!

Testing Requirement
Create your Job Seeker and Employer accounts with a +bugbounty to avoid moderation locking your account for suspicious activity. Example: [email protected]

Include bugbounty in the company title you create and do not attempt to misrepresent yourself as a real company.

Where possible, add text bugbounty to requests you are sending to our applications, so our team can identify the traffic being generated as part of your testing.

Program Ground Rules
Respect our users' privacy.
Leave the Site as you found it.
Don't violate our Terms of Service or the law.
Don't impact our services.
No interacting with others.
Cooperate with Indeed.
Participation Eligibility.
Follow Bugcrowd's rules.
Respect our users’ privacy.
If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Indeed. To participate in this program, you only need to explain the technical vulnerability you discovered.

You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through this research. If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.

Leave the site as you found it.
Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our site during your research, except to report your research to Indeed.

Don't violate our Terms of Service or the law.
All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws.
In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, New York Privacy Act 2021, once they become effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors.

Don't impact our services.
You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be blocked and removed from the program.

No interacting with others.
Any form of interaction with others on or through our Site, including but not limited to other Indeed users, is strictly prohibited. Close any active test jobs immediately after testing. Do not make any attempts to phish users or employees.

Cooperate with Indeed.
You will be expected to cooperate with us if we request your assistance in connection with your research.

Participation Eligibility.
Current employees or contractors of Indeed are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if:

they have left Indeed more than 1 year prior to submission, and
they are not making use of, or referring to, any non-public Indeed information obtained when they were an employee or contractor.
Follow Bugcrowd’s rules.
This program follows Bugcrowd’s standard disclosure terms.

Severity, Rewards & Reporting
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified using the methodology defined below. In an instance where an issue is downgraded, Indeed will try to provide a detailed explanation to the researcher - along with the opportunity to appeal, and make a case for a higher priority. However, the final discretion remains with Indeed.

When we are determining severity, the following descriptions are not meant to be absolute categorizations. Severity depends on potential damage to the business and clients, ease of abuse, how much we can actually fix, size of the user base, and sensitivity of the data. Note: A high severity finding on a demo application may be a P4 due to the low impact and non-sensitive data.

When we are determining rewards within a severity range, the difference between, for example, a High-P1 ($10,000) and a Low-P1 ($4,000) would depend on the number of prerequisites required, the difficulty, the impact and the likelihood of exploitation.

For those reasons, we recommend providing:

An attack scenario: what is the most likely way an attacker actually abuses said vulnerability.
Clear, numbered reproduction steps: if we can't easily reproduce what you are describing, we may misinterpret the issue or severity.
A video PoC: for more complicated exploits.
Impact: your understanding of the impact to Indeed or its users if an attacker exploits the said vulnerability
Recommended fix: if you have any good ideas on ways to mitigate the risk without impacting normal users, it would be appreciated.
Severity   Description   Examples
P1   Vulnerabilities on Indeed applications that have the potential to: (1) affect most users, (2) disclose highly sensitive data, or (3) have a high impact on business operations.   RCE on backend systems, authentication bypass leading to account compromise, privilege escalations from unprivileged to Admin or cross-organizational lateral movement, sensitive data exposure of Job Seeker or Employer PII
P2   Vulnerabilities that have the potential to: (1) affect many users, (2) disclose sensitive data, (3) could lead to reputational or substantial business loss, or(4) affect the security or availability of individual processes or services.   Stored XSS, exposed API credentials, subdomain takeovers on *.indeed.com
P3   Vulnerabilities that can affect multiple or individual users with little to no user interaction, or only have security implications within an organizational context.   Reflected XSS, Intra-organizational privilege escalations, misconfigured CORS.
P4   Issues that affect multiple or individual users and may require user interaction or significant prerequisites to exploit. The potential business or user impact is likely low, or sensitivity of the data considered to be low.   URL Redirects, Debug information, Some Intra-organizational privilege escalations.
BugCrowd Vulnerability Rating Taxonomy (VRT) Exceptions
Some types of issues do not present a significant enough risk to Indeed, and are usually not accepted. Any submission of these types will only be rewardable if significant risk and impact can be demonstrated.

HTML injection
Self-XSS
Vulns only exploitable on out of date browsers or platforms
Information disclosure with minor security impact (pathing, stack traces, etc.)
SPF/DMARC/DKIM record missing on a domain
Vulns that require physical access or root accounts
Helpful Tips For Your Testing
Different Accounts Types and Roles: Job seekers and employer accounts have access to different features and views. You may want to set up test accounts as both. Organizations can have multiple employer accounts, each with different RBAC defined roles. See https://indeed.force.com/employerSupport1/s/article/206589143?language=en_US to learn more.
Group similar submissions: We ask that researchers who are able to identify the same or similar types of issues in multiple locations, across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified.
Localization: Indeed is an international company with many different subdomains for different countries, running the same applications in different languages, example: mx.indeed.com, ca.indeed.com, in.indeed.com, vn.indeed.com. Localized versions can share the same codebase and therefore, a vulnerability found on many may only be eligible to be rewarded once.
Third party applications: For third party applications, such as Wordpress, they will only be eligible for reward if there is action Indeed can take to mitigate issues identified, A good example of something we wouldn't payout for is the output of WPScan showing recently out of date plugins, since regular patching is part of our WP management. An example of something we would payout for is a POC showing unintended behavior that isn't in a vendor patch.
Disclosing results: This bounty requires explicit permission to disclose the results of a submission.
Documentation: Developer API portal & documentation: https://developer.indeed.com/

33
Bug bounty programs / Hootsuite Bug Bounty
« on: July 31, 2023, 05:32:17 PM »
submit bug report: https://hootsuite.com/security/response

Tracking and Disclosing
We work hard to ensure our product is safe and secure. Have you discovered a security flaw that may impact our service or our users? Please let us know.

Submitting a Report
Hootsuite's Security Team will acknowledge your report, usually within 24 hours.
Our Team will assign a Point of Contact who will help track your issue.
Our Team will investigate the issue and determine the impact on our products.
While we will not disclose the issue until our investigation is completed, we will work with you to ensure we fully understand the issue, its scope and its scale.
When our Team resolves the issue, we will post an update along with thanks and credit for the discovery.
Contact us about Security Flaws
For incidents that affect a single user or account please contact Hootsuite Help - they are your fastest response for single-user security issues.

For incidents that affect many users please send urgent or sensitive reports directly to [email protected]. Use our Public Key to keep your message safe and provide us with a secure way to respond.

If for some reason our Security Team does not respond within 24 hours, please follow up with us via Twitter @Hootsuite_Help. For requests that are not urgent or not sensitive, please submit a support request

34
Bug bounty programs / Guilded Bug Bounty
« on: July 31, 2023, 05:31:13 PM »
submit bug report: https://support.guilded.gg/hc/en-us/articles/360039728333-Contact

Support - [email protected]
If you have any questions or need assistance with anything that you couldn't find in our Help Center, feel free to reach out to our support team.
Feedback - [email protected]
We appreciate your suggestions and ideas for improving Guilded. If you have any feedback to share, please send it to this email address.
Partners - [email protected]
For existing, former, or prospective Guilded Partners, you can contact us at this email address for any inquiries or assistance related to partnerships.
Security - Roblox on hackerone
To report any vulnerability disclosures or security concerns

Press - [email protected]
For press inquiries or media-related matters, please reach out to us at this email address.
Contact - [email protected]
For general or business inquiries you can contact us through this email address.
 
 

35
Bug bounty programs / Gamma Bug Bounty
« on: July 31, 2023, 05:30:00 PM »
submit bug report: https://www.gamma.nl/klantenservice/veiligheid-privacy/responsible-disclosure

Responsible Disclosure
At Intergamma, the security of our systems is a top priority. To protect our and our customers' data, we secure our websites and systems as well as possible. It is of course human work, so there is always the possibility of an error creeping in. That is why we have a 'responsible disclosure policy', in collaboration with the Intigriti platform. Here you can report possible vulnerabilities.

What do we ask of you?
Submit your findings through the Intigriti Intergamma program .
Observe the rules and guidelines listed there.
Do not abuse what you have discovered, for example by downloading more data than necessary or by viewing, modifying or deleting data from third parties.
Do not use physical security attacks, social engineering, (distributed) denial of service attacks, spam, or brute force attacks.
Recently Viewed

36
Bug bounty programs / FoxyCart Bug Bounty
« on: July 31, 2023, 05:28:03 PM »
submit bug  report: https://bugcrowd.com/foxycart

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Foxy. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. We appreciate the community's efforts in creating a more secure world.

No technology is perfect, and we at Foxy believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Exclusions
While researching, we'd like to ask you to refrain from:

Denial of Service attempts
Spamming
Social engineering (including phishing) of Foxy staff or contractors
Any physical attempts against Foxy property or data centers
Thank you for helping keep Foxy.io/FoxyCart.com and our users safe!

Before You Begin
Please read and follow the rules in the Standard Disclosure Terms.
Please review our blog post about submitting helpful reports.
Review the "Out of Scope" section below.
Please review the "Known Issues" below.
What, Where, and How to Test
At its simplest, FoxyCart works by adding products to a /cart endpoint via GET or POST request. Click here for some examples on our homepage.

To do more in-depth testing and create your own account:

Create an account at https://admin.foxycart.com/signup/.
When creating your account, please use the following format:
When creating your store's subdomain, please use the following format:
userame-bugcrowd
Example bugcrowd_01-bugcrowd.foxycart.com.
Test as desired. You can use the default Authorize.net gateway test account and the test credit card 4111 1111 1111 1111 to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
Create an API client at api-sandbox.foxycart.com or from the "integrations" page in the admin. The API uses Oauth 2.0, and can handle nearly every request that admin.foxycart.com can.
Please do not use automated scanners or aggressive scripts.

DO NOT REPORT Known Issues & False Positives
DMARC, DKIM, or SPF records missing on domains or subdomains.
DROWN ATTACK NOTE: (2016-03-02) Don't report that we're vulnerable to DROWN unless you can show an IP and domain that match what you're attempting, and that are actually vulnerable. The DROWN test tool isn't giving you the info you might think it's giving you.
BREACH Attack: Unless you can confirm our mitigation approach at admin.foxycart.com isn't sufficient, please do not report this.
Session persistence after logout.
For admin.foxycart.com: If you believe you can reuse a logged in cookie after a logout, please confirm you can replicate it. This has been reported a few times in error, so we'll need a screencast, details of the requests/responses, AND confirmation that you've been able to replicate it (with detailed steps) before we will spend time attempting to reproduce this.
For admin.foxy.io: This is a known issue and excluded from our bug bounty program.
SSRF: Our cache endpoint (which caches images and is publicly accessible) and our template caching (available in the admin) make outbound GET requests. Similarly, other functionality may make outbound requests (webhooks, tax systems, etc.). This is by design. We'll only accept SSRF reports if you can demonstrate accessing internal or otherwise privileged access.
CSRF: If you report a CSRF issue and you include a valid CSRF token in your POC... Please just don't do that.
Automated Scanning Tools: Don't just blindly report whatever your tool reported. It'll waste our time and yours if you don't verify it's an actual issue.
Moving on…

The most important thing to note is how FoxyCart works. Please don't report the following behavior:

Products can be added via a GET or POST, and a product's name, price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms.
These requests can be submitted to SSL from a non-SSL page.
The templates (cart, checkout, receipt, email) can include whatever javascript the user would like. Again, this flexibility is by design.
The following finding types are specifically excluded from the bounty:

General issues:

Self-XSS and issues exploitable only through Self-XSS.
Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
Clickjacking headers not present on some of our subdomains.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
Presence of application or web browser 'autocomplete' or 'save password'.
Disclosure of known public files or directories, (e.g. robots.txt).
Banner disclosure on common/public services.
No Strict Transport Security (HSTS) headers set.
Normal OPTIONS responses.
Some domains do not have proxy protection.
cache.php will cache/load images from 3rd-party domains. This is by design. (See the note about SSRF above.)
Some forms do not have rate limiting / brute-force protections. (Please don't automate a ton of contact forms or anything.)
Lookalike domains exist that we don't own or are unregistered.
Host Header validation/injection, unless you have a demonstrable exploit. (Please don't submit host header redirection issues.)
Admin-related issues:

NEW ADMIN at admin.foxy.io: We're currently only accepting security-related bug reports.
3rd-party scripts are loaded within the admin.
Account creation at admin.foxycart.com does not have captcha or email validation.
Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user, but you'll still get a 200 response. Also, we do IP-based blocking in certain other cases.)
Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced. (Again, there's enforcement in some areas, and we're aware of others already.)
Password resets...
Indicate whether an account exists or not.
Don't generate an additional email to the admin user.
Are sent via a link that's Base64 encoded.
That link shows in the referrer header when loaded in the Foxy admin.
Aren't rate limited.
Aren't expired on email change.
Admin email changes happen without an email confirmation.
There's no maximum password length. This is not a DoS issue.
Admin sessions are not invalidated on… certain events. In the situations where sessions aren't invalidated, this is a known issue. (Similarly, we don't support MFA yet, and don't have robust "suspicious" login detection. We're working on that.)
Admin does not require re-authentication on certain actions.
Logout Cross-Site Request Forgery (logout CSRF).
Clickjacking is possible in certain old browsers that don't support X-Frame-Options-Header but do support TLSv1.1+.
There exists an edge case where it's possible to change an admin password without providing the original password. We are aware and working to diagnose. (If you can reliably reproduce, that'd be a valid submission. Otherwise it's a known issue.) (There exists another way to do this that we can reproduce, related to the password reset email URL. This is a known issue.)
Generated CSVs may allow for Excel-specific functions to be output.
RC4 encryption is used in legacy webhook systems.
Cart and Checkout issues:

Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
Cart requests do not require CSRF or have other protection (aside from the HMAC signing mentioned above).
The ability to modify product parameters in a link or form, if the account has the HMAC signing functionality disabled. (Again, as mentioned above.)
Clickjacking headers (and/or other mitigating precautions) not present on some of our subdomains.
The session-specific referrer header can be manipulated, and is output to customers in certain situations.
Password resets (and customer logins) indicate whether an account exists or not.
It's possible create a duplicate customer account with an existing email under very specific circumstances.
Networking and infrastructure:

Host Header injection/modification/redirects. We're aware.
It's possible to reveal an internal IP address if you modify a redirected request. This is an AWS ELB/ALB thing, and the IP revealed is not one of ours.
Open redirect on the store's *.foxycart.com subdomain (or custom domain) without a /cart parameter, redirects to the configured store URL.
A Note about XSS
Please note: If you've identified an XSS issue (especially on on our www site), please make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self-XSS, and an invalid submission.

A Note about CSRF
We get a lot of CSRF reports that include the CSRF token in the proof of concept. Before reporting CSRF, make sure you actually understand what CSRF is, because if you include the CSRF token in your POC, it's just a waste of your time and ours.

Out of Scope: Other _.foxycart.com or _.foxy.io Domains
Foxy customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself. Please don't test our users.

For vulnerabilities found at the following subdomains, we make a distinction between the underlying system and our own modifications. For example, we use Dokuwiki for our wiki. If you find a security issue in our implementation of Dokuwiki, that may be valid and eligible for a reward from us. But, for instance, an issue with Dokuwiki itself should be reported to them.

www.foxy.io uses Grav CMS
www.foxy.io/blog uses Wordpress
Please note that reports about xmlrpc.php being present are excluded from our program.
wiki.foxycart.com uses Dokuwiki
affiliate.foxycart.com uses iDevAffiliate
support.foxy.io uses HelpJuice

37
Bug bounty programs / Curl Bug Bounty
« on: July 31, 2023, 05:26:38 PM »
submit bug report: https://curl.se

No technology is perfect, and curl believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Exclusions
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of curl developers
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Valid issues
Security problems present in the latest released curl/libcurl version that haven't already been reported/fixed and haven't otherwise been made public, in full or in part, may be subject for a bounty. Responsible disclosure must be followed for a vulnerability to be subject for a bounty.
Exclusions from the bounty program
Experiments
Vulnerabilities in features which are off by default and documented as experimental, are not eligible for a reward.
Issues with our infrastructure
Any infrastructure issue that you may find is out of the policy unless it affects the source packaging/distribution. This includes but is not limited to DNS config for our domains, our email setup details and website configurations or hosting details. Not in scope!
The wiki is world editable
It is on purpose. It is a wiki. If you change or add non-curl related contents to prove a point, we consider that abuse.
Thank you for helping keep curl and our users safe!

38
Bug bounty programs / Copper Bug Bounty
« on: July 31, 2023, 05:25:54 PM »
submit bug report: https://copper.com/security

Policy

No technology is perfect, and Copper CRM, Inc believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
You may only test against accounts that you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Exclusions
While researching, we'd like to ask you to refrain from the following list as these issues will be closed as Not Applicable:
Denial of service
Spamming
Unconfirmed reports from automated vulnerability scanners
Disclosure of server or software version numbers
Mobile application issues that can only be exploited on a compromised device.
Hypothetical security weaknesses without without demonstrating real user impact.
Open HTML redirects
Arbitrary file upload - CDN
Issues with DNS records such as SPF, DKIM or DMARC
Insufficient Password Policy Implementation
Use of HTTP Strict Transport Security (HSTS)
You must not attempt to gain access to, or interact with, any accounts other than those created by you.
The use of commercial scanners is prohibited (e.g., Nessus).
Social engineering (including phishing) of Copper's staff or contractors
Any physical attempts against Copper's property or data centers
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Copper and our users safe!

39
Bug bounty programs / Clario Bug Bounty
« on: July 31, 2023, 05:24:32 PM »
submit bug report: https://clario.co/

Policy

1 Intro
Clario Tech DMCC (hereinafter - Clario) invites security professionals to participate in our bounty program to ensure security of our products and safety of our customers’ data.
Please read carefully this program policy before proceeding any further testing activities on the company assets.
2 Program Scope
The program scope includes in-scope assets and in-scope vulnerabilities. Please note, that you are not allowed to test any Clario assets, which are not included in the program scope. Clario will pay no rewards for any discovered vulnerabilities, which are defined as out of vulnerability scope in this program.
2.1 In-Scope Assets
2.1.1 Web services and applications
Web services and applications, directly bound to the domains specified bellow, are in scope of the program. Any other domains, subdomains, services and applications are out of scope.
Tier 1
https://account.mackeeper.com
https://kbill.mackeeper.com
https://mkapi.mackeeper.com
https://crm.clario.co
https://chat.clario.co
https://chat-crm.clario.co
https://yapi.clario.co
https://api.account.clario.co
Tier 2
https://dl.clario.co
https://clario.co
https://webapi.clario.co
https://inapp.clario.co
https://mackeeper.com
Tier 3
https://api-ne.mackeeper.com
https://updatetracker.clario.co
https://updater.clario.co
https://dcs.clario.co
https://event.clario.co
https://adblocking.clario.co
https://inapp.clario.co
https://static-cdn.clario.co
https://updater.clario.co
2.1.2 Desktop and mobile applications
The next applications are in scope:
Mackeeper app
version 6.3 or higher. We will update this number upon changes in our production releases
Note: for short period of time, we still accept High and Critical vulnerability reports for older versions of Mackeeper (5.14.1 and higher)
This application belongs to Tier 1 resources.
Please note, only defined in this table versions of applications are in scope. We do not accept reports on outdated version of applications.
2.2 Vulnerability Scope
While you are allowed to test any technologies within of the specified scope of resources, please consider the next limitations:
2.2.1 Social engineering
We will reward only the reports on purely technical vulnerabilities. Any kind of social engineering activities during your testing within this program are strictly prohibited and might be illegal.
Particularly, you are not allowed:
contact to our customers for testing purposes
contact to Clario Customer Support with manipulative aims
contact to Clario personnel (except contacts via Hacker One platform to dedicated Clario team)
2.2.2 Service disruption
You must not disrupt Clario services. Especially,
DDOS attacks are strictly prohibited.
Please avoid any activity that could lead to the disruption of our service (DoS). Intentional service disruption is prohibited.
You should always enable throttling on your web-scanners and set it to “one request per second”. Unthrottled automated scanning reports could be qualified as N/A.
2.2.3 Customer data access restriction
You must not compromise or disclosure any customer data. Please immediately stop your research and notify Clario in case you have got access to any customer account or data (except your own or those you have explicit written permission from their owners)
2.3 Vulnerabilities out-of-scope
We are not interested and will not reward reports for vulnerabilities specified in this section
2.3.1 Common vulnerabilities excluded from the scope
Missing best practices in SSL/TLS configuration
Missing SPF/DMARC/DKIM settings
Missing best practices in Content Security Policy
Server/Application error message with no sensitive information leakage
Previously known vulnerable libraries without a working Proof of Concept
Theoretical security issues with no realistic exploit scenario
Issues that would require complex end-user interactions to be exploited
Vulnerabilities that require root-level physical access to the targeted device to be exploited
Open ports scanning, banner grabbing, software version disclosure
MITM attacks (except the reports on VPN vulnerabilities)
Clickjacking on pages with no severe impact
Implausible bruteforce attacks
Rate limiting or bruteforce issues on non-authentication endpoints
Vulnerabilities which could not be reproduced on the latest versions (by the day of your report) of the browsers Safari, Chrome, Firefox
2.3.2 Common vulnerabilities excluded from the scope if the potential impact is not proven
The next vulnerabilities are usually excluded from scope as “not self-sufficient”. However, you may show them as a part of your attack chain. In this case we will reward your report according the maximum proven vulnerability in your report.
Content spoofing and text injection in client side only
Stack traces, path disclosure, and directory listings
“Mixed Content” issues
HTTP Options header
Missing HttpOnly or Secure flags on cookies
Comma Separated Values (CSV) injection
2.3.3 Out of Scope bugs for Android apps
Lack of rooting detection
Runtime hacking exploits (exploits only possible in a rooted environment)
Lack of binary protection control in android app
Shared links leaked through the system clipboard
Any URIs leaked because a malicious app has permission to view URIs opened
Lack of obfuscation third-party libraries
User data stored unencrypted on external storage
OAuth and App secret hard-coded/recoverable in APK
Any kind of sensitive data stored in app private directory
2.3.4 Out of Scope bugs for iOS apps
Lack of jailbreak detection is out of scope
Runtime hacking exploits (exploits only possible in a jailbroken environment)
Lack of binary protection (anti-debugging) controls
Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Path disclosure in the binary
Lack of obfuscation third-party libraries
OAuth and App secret hard-coded/recoverable in APK
Snapshot/Pasteboard leakage
3 Rewards (bounty)
The reward is calculated based on the target tier (see the Program Scope section of this document) and severity of the vulnerability.
Clario defines severity level based on our self-calculated CVSS score for each specific vulnerability.
Please note, that Clario may use additional factors unrelated to CVSS score to determine the severity level of a vulnerability. This approach is supported by the CVSS v3.1 specification:
"Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include: number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities. These are outside the scope of CVSS".
For example, CVSS methodology uses Confidentiality, Integrity, and Availability as equal factors for the calculations. Clario always emphasises our customer data protection. So, we will rate vulnerabilities related to personal data protection as more critical, than similar vulnerabilities affecting availability only. Our rule of thumb is: “the more likely vulnerability will affect our customers data and the more easily is to reproduce the attack, the higher severity level and the higher reward”.
Another example is attack vector. Clario will not reward vulnerabilities, which requires physical access to customer device to be exploited. These vulnerabilities are explicitly defiled out of scope, while it is still possible calculate CVSS score for such vulnerabilities.
Usually, we also decrease criticality level of vulnerabilities, which do not harm our assets directly, but rather “might be potentially used” as a part of some more complex attack chain. For example, reflected XSS in most cases will be evaluated as “Low”, except you provided PoC for full attack chain with more significant impact.
Please note, that our priority is TECHNICAL issues. The more “social engineering” activities assume your scenario, the less reward you will get.
Bounty calculation table:
TIER 1
Critical - 5000
High - 3000
Medium - 1000
Low - 250
TIER 2
Critical - 3000
High - 1500
Medium - 400
Low - 150
TIER 3
Critical - 1000
High - 750
Medium - 250
Low - 100
Please note, this table specifies the maximum amount paid by Clario as reward. The actual amount will depend also on the report quality. Reports lacking necessary information to enable Clario to efficiently reproduce the issue will not be rewarded. Please read Report Eligibility section for more details.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
4 Report Eligibility
4.1 In order your report to be eligible, you must:
Be the first party to report the issue
Provide a clear report, containing steps to reproduce issue and Proof of Concept (PoC)
Not disclose the issue publicly before Clario approval
Follow this program policy and do not violate the rules
4.2 Eligible report should include:
A detailed description of the issue, inclusive potential impact
Any conditions, prerequisites and steps to reproduce the issue
Any other supporting documentations (codes, screenshots, references) required to explain the vulnerability and the relevant attack scenario
Please submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
4.3 Please DO NOT report:
purely theoretical and best-practice issues without real impact description and PoC
unvalidated reports from automated vulnerability scanners
issues out-of-scope Such reports most likely be closed as "N/A". Submitting multiple N/A reports may result in you being excluded from participating in our program.
5 Response Targets (SLA)
Clario will make the best effort to meet the following SLAs for hackers participating in our program:
SLA (in business days):
First Response (from report submit) - 2
Time to Triage (from first response) - 2
Time to Bounty (from triage) - 14
Time to Resolution depends on severity and complexity.
We will keep you informed about our progress throughout the process.
6 Disclosure Policy
You must not discuss any vulnerabilities (inclusive the resolved ones) outside of the program without express consent from Clario.
Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to not disclose the report or to disclose it only partially.
Please follow HackerOne Disclosure Guidelines.
7 Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered as authorized conduct and we will not initiate any legal actions against you.
If legal actions is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Still, you must comply with all applicable laws, including local laws of the country or region in which you reside or in which you download or use Clario software or services.
8 Feedback
If you have any suggestions or feedback, please let us know at [email protected]

40
Bug bounty programs / Practo Bug Bounty
« on: July 26, 2023, 08:10:31 PM »
submit bug report: https://www.practo.com/company/responsible-disclosure-policy

At Practo, we take safety and security of our customers’ data very seriously and stand guard to the trust put in us by our users.


We understand the importance and value of the role played by security researchers and ethical hackers in keeping the internet safe. Therefore, we support their responsible efforts in not only identifying potential vulnerabilities but also reporting them responsibly.


We urge you to review the Responsible Disclosure Policy before you test and/or report an issue with any of our applications. We assure you that Practo will never pursue any legal action against users who report the issues, as long as they follow these guidelines.


Who can participate in the program?
Anyone who doesn't work for Practo or partners of Practo who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated will be eligible to take part in this program.

Responsible Disclosure policy:
- Report your finding by writing to us directly at [email protected] without making any information public.
- We will respond as quickly as possible, generally takes 24-48 hours.
- In best interest of our customers and their data, please do not publicly disclose the issue until it has been addressed by Practo within a reasonable timeframe.
- In order to keep everyone safe, please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you or administrative action against your account if you act accordingly.
- Make every effort to avoid privacy violations, disruption to production systems, degradation of user experience and destruction of data during security testing. This would include Brute Force, DoS, Spamming, Scraping, Social Engineering etc.
Reporting guidelines
Please include the following information when sending us the details:

- Operating System name and version.
- Client name and version.
- Plugin names and version installed in the client.
- Steps necessary to reproduce the vulnerability including any specific settings required to be reproduced (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- A copy of the source code following your successful test.
- What is the impact of the issue.
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Scope
- All subdomains of practo.com i.e. *.practo.com
- Practo mobile apps -- Android, iOS

41
Bug bounty programs / OWOX Bug Bounty
« on: July 26, 2023, 08:06:22 PM »
submit bug report: https://bi.owox.com

Policy

No technology is perfect, and OWOX believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Exclusions
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of OWOX staff or contractors
Any physical attempts against OWOX property or data centers
Thank you for helping keep OWOX and our users safe!

42
Bug bounty programs / Onfo Bug Bounty
« on: July 26, 2023, 08:05:29 PM »
submit bug report: https://support.onfocoin.com/hc/en-us/articles/360025769031-Bug-Bounty-Program

Vulnerability Disclosure Philosophy
We support responsible disclosure. We will acknowledge valid and original (i.e., the first reported instance) discoveries on Onfo web client or mobile app with the name of the security researcher(s) responsible. Currently, we don't have a formalized bug-bounty program payouts based on tiers of severity. However, we do still award bounties on a case by case basis.

 

We will not retaliate against researchers who report issues privately and in a responsible manner. We will do our best to reply to your findings in a timely manner and will keep you updated on the progress of the issue.

 

Report vulnerabilities to: [email protected]

 

For encrypted communication utilize the below PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFyZIksBEAC33mMKr9al6yHz0DDin0MYdBngCeb9jVqG49h0kXt1zU13+ArK
cjCY0Rz2k09eSRp0MJ5aeKs2K1jIlPRqSwASTB1vSYa2nBv2BeAiZXyUTxEUoCDN
kZmS8HGQ8LN9tESOfltasH1pqV1o3dKjqpULQWwWC8Ha5cjYy7JPLuy0hZ/xtn+G
IgbZS6Z5GCWAnT+Qu5XiQnmbWocbut9A8vIL5T0nTgoqTRbbyDSBTx1vGMe6TLVW
Mxix/o2Xqte9thmHQCPxqfv+Xdnmk9qJ52WkgQmvqqUMRRWUPXD0mcpVdyzKQVVh
0Z62YR+WgQ9H4Cvg11D2BdKNQjkiwf5wXN+RPiswk4q8wPQT1DNaiUzN2o6ZARG8
r+GcQNXvlrXReQEeR2uE6EDR3ZKuis45F2uKdjgrjSim0gvlNplrbWWacYpd8RtH
d2wB73XWfl8uEVT9TyZnG5LuhV0tKiQL/cGShwV8dX/iEujUNyNAWI18RG7LZrtu
dBAl+xXEF/vNNlbTlbUZQwVK82N5VdGnJe58yLHW2k4hHNW8Htn6WOj27PbE4qRZ
UY81rkFNQjbQZee6BoqeE9CCIaYe8zeSnzhlEmURG2EvIb5jgCnrm1IZe2SbaDAI
iJhU1y9MFLIHpy05nZiFsTly0RS+LgiE2yBtVz7f8zhaGEfHN3ITwdaMpQARAQAB
tB5EcmV3IFBhdGVsIDxkcmV3QG9uZm9jb2luLmNvbT6JAlQEEwEIAD4WIQQwOejv
r6Te5r9RL/u3w8KL9WlGdgUCXJkiSwIbAwUJB4YfgAULCQgHAgYVCgkICwIEFgID
AQIeAQIXgAAKCRC3w8KL9WlGdoxRD/96IPQf6kbGMgbmMPF4z4/0NmsiO3VECXNE
mdsdz0zXwfSt+UmDWqXCeVnueZ0LMGARdwEe+6EPctE+Mvh0blO4krHV2XQLX+T1
izIntmMUjIOWNq2P8RbtBB8ztnyg05nyeB2wmRjKCHXO1Ie4fLz2wlkuQW2QeuFr
OWNweG0L/M5lmhsB18bcB55I5MV0cVi0kAHxiR3r25UlvfcxCifToscnjyICB/nY
UNl+kFjzFwKUY590BnRHM9d/x3yK+Kd9YxuhWYldK9WCsv9rGwRK8RP0UdGTGx1e
j8M2Q5hHZ8CxZrIJ4PqvV1yMiNtwnfeO/x0DsZbelk/mGQMdxIDsbq6u992hlSed
CjCFmvCoru3ZEXETpWTBHnQyhMEVAPwB8fgL02qNQMHNWqLoJ4mT6EzjS+fZ83K9
xtqtRj7whTiWaq5fsNs8l9QFJ2NqkzZIjDq+W8IKAuTuXwtaYvRlnIxU+M+EoKWa
tCPU/hK5YCDxFmMhcQtVVwSap6ZfFdoIH88flZ4z4bEQZSWn+7Jgn0dw6j083FiP
iKWaua6fCwuCwSM1jmfRgiiai9Hr+59mLMJoqeoa7zzaO+ngEWC1ht2c/3bLT8rr
fEd8sr/CCD0L5A5ChFeAVTiqkKU2hB0r+JeUFWqq7OcNlnfe/CwXswERlzC3shBO
GEYcIyfNrLkCDQRcmSJLARAAx5YNuzAlUjCEz8aHx/mLPrLzPusiisrSIyDReM2W
tc53zM55fAHtLFKrOF6rpy9dOQdS9u0jO+fvMtMpCMDFh4l/tM/445W4g79czXA/
U064v/8FR3v+VA6qW+yEC/CXvdpor4tKReE52bextFEJra/2s8huTGwLbcnoGGuh
ZgVNReM/owCsaTwja9lDXc73bnZi/d+F4NQF+/NCT7w4djrpI/ykgul+rEgH+wdc
Ak+628SAhaHP4ytZpb3wCqMurU29wYJvzz+OVkIZQyGUPk0SE3WmXBpYRX+JFZ3P
hK9OalU90fzY29suPPGCp/Q4Y/xAFtD/g77Ud5szpd7WC97JmeEh7fK1b0W0NYMp
lBgyJKQxjeloABfIax3I+2Pp8zgxBKVNwS+n1A8S0rn43seDKpHhpQzmKl2cQWU0
hOUnDA7vEpEYYDAMF9Hqe/9jzfkYsx+IBdHiDPxTFb0frDDGCMLP3lKlJlkoCMp1
EeFxs9IBPduVQrOjjeXJhftKVFQS/Er8zXnQvK1F8ZpC8zlKRvngZRQKLA+Y2wWJ
5upwaZObsN+iWiSfjQnWoJoDsE3Coa8aydWfJggOIZzG9midEcXcul7E6GMB2nK5
WL6BNmbTnsjxUkGM9VS86jTTSnCFeJYXwwZyMfqVXjYC5jFK7c/rYmCp2UEzADo+
iGEAEQEAAYkCPAQYAQgAJhYhBDA56O+vpN7mv1Ev+7fDwov1aUZ2BQJcmSJLAhsM
BQkHhh+AAAoJELfDwov1aUZ29RIQALcaAoaEqvZ2BBZOJTQO/Q5jgCMhEXngzkTF
Wc7HBHJhPboaCxhWLddMVVcwYBDrpTumAJnuBjgpCpRdloM+AF+254VBlvUt5Ka/
8Bgd/qdsrIzDzbcA3Jeg2/L5yAI8szOoIlT+F1UVRHnmsXqIqh07Nzx4Qf+EBFbJ
5cA2kg5a56ppvVDn1Rh/+DaxTcvKlM/zpxQ9qk4wKnbO3ggQ717Yk6Ll7LRgk0Ky
ryWNX0BtjRkhOgxndcrmcH7KfYvlxIOPL215Kj+WlBWN1Bj9qgkINJ8aJ3qcil8R
FOc2PdFeIoYMW87/A/mrViin80RVS8w26oJf5V0UeU5qiJ9aX7PLdifV/cSAPUgR
v8YGe6eYp8ApZYX9yDtpPUNiEa1OgNO3cxje/ArOuVKm2qMJ/l4JqNMlfBtzeTmw
50BjIZCtdx9PwsNt1L0ix13LO4q3BrNT1yb5Oh0pH/8t2ZdTDHf2whbqOsTws0BT
vM7RVFjWPDVe2n9sgEoYEDHNYInuSCeCyafLIsmXB5dReNHzF3mtLkjbAXEIrh+p
lJoMcMULY5ZEvvxlKqVWOmNvRHRF2mkUL+NaKFt/khEcVwNNxI0+luDj68qb7fgF
CdHmHnijEpijyixiGbn6rhpkEGRmujRaPHY/u9TtuwYdl67IfbsgUctkbCeD2PaW
wC+NINtF
=zD9s
-----END PGP PUBLIC KEY BLOCK-----


43
Bug bounty programs / olx Bug Bounty
« on: July 26, 2023, 08:03:23 PM »
submit bug report: http://olx.com

At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.
Important Information
At the moment our program managed by HackerOne is paused, for more information visit security.olx.com.
Scope
You can review OLX sites in the scope by visiting security.olx.com. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video to helps to understand it.
What about public disclosure?
We're more than happy to publicly disclose your bug once it has been fixed by our developers.
Exceptions & Rules
Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed. Please do not mass create accounts to perform testing. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
The following are strictly prohibited:
Denial of Service attacks.
Physical attacks against offices and data centers.
Social engineering of our service desk, employees or contractors.
Compromise of a OLX users or employees account.
Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Out of Scope/Non-qualifying vulnerabilities
This vulnerabilities are out of scope since we're currently aware of these vulnerabilities in some of our products and actively working on them.
WordPress/CPanel vulnerabilities
Software version disclosure
HttpOnly and Secure cookie flags
SSL/TLS scan reports (this means output from sites such as SSL Labs)
Password strength policies
Session timeout
Session Hijacking (cookie reuse)
Missing security headers
Autocomplete
Account enumeration
Rate-limiting (for none authentication flow)
Self XSS attacks
Self-exploitation (i.e. password reset links or cookie reuse)
Tabnabbing with partner links
Use of a known-vulnerable library (without proof of exploitability)
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
Directory listing
Open redirects
Content Spoofing
Missing SPF/DKIM/DMARC records
Rewards
At this time, we are not awarding bounties or cash rewards for reported vulnerabilities.
At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.

44
Bug bounty programs / Netapp Bug Bounty
« on: July 26, 2023, 08:00:41 PM »
submit bug report: https://security.netapp.com/contact/

How to Report Security Issues to NetApp
NetApp has policies and procedures for reporting potential security issues.
The security of our products is of primary importance to NetApp and our customers. We accept reports of security vulnerabilities and work to ensure we can resolve them rapidly.

Contact us at the following email addresses to report:

An incident involving the NetApp® corporate network or a potential security issue with our website: [email protected]
A potential vulnerability with NetApp® products or services: [email protected]
These email addresses are for reporting potential vulnerabilities and security incidents only. For technical and customer support, including assistance analyzing results from vulnerability scanners, visit mysupport.netapp.com

We encourage you to encrypt personal, sensitive, or confidential information you send us via email by using the NetApp PSIRT GPG key (0x42C553F7). The full fingerprint of the PSIRT GPG key is:
87BA E855 6AFE 8743 A7E7 0CDC DBA1 73A6 42C5 53F7

NetApp attempts to acknowledge receipt to all submitted reports within seven days. In some instances, acknowledgement of receipt may be delayed due to company or national holidays. In those cases, NetApp will make every attempt to respond within the seven-day window upon the resumption of normal business activities.

Key Points
Report potential vulnerabilities with products or services.
Inform NetApp of potential incidents and issues on our websites.
Learn about NetApp's response policy.

45
Bug bounty programs / MapBox Bug Bounty
« on: July 26, 2023, 07:59:18 PM »
submit bug report: https://www.mapbox.com/security

Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.
If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email [email protected].
SLAs
Mapbox attempts to meet the following SLAs for hackers participating in our program:
Response Target   Time (in business days)
Time to first response (from report submit)   2 days
Time to triage (from report submit)   2 days
Time to bounty (from triage)   10 days
Time to resolution   Depends on severity and complexity
Rules
Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed.
Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
Do not spam our contact form or support inboxes.
Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
Do not try to gain access to another user's account or data - please use test accounts.
Eligibility for a bounty
To qualify for a bounty:
You must be the first reporter of the vulnerability and it must not be a duplicate or known issue
Your report must be within scope and not on our list of ineligible reports and known issues
You must not be a minor
You must not be a resident of or be located in a country on any U.S. sanctions lists
Public disclosure of the issue before its resolution will result in disqualification from the Mapbox HackerOne program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.
Reporting
All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.
Vulnerable URL(s) and any affected parameters
Your browser and operating system
Detailed, step-by-step explanation of how to replicate the issue
Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triage of the issue and possibly a higher bounty at Mapbox's discretion.
Eligible reports
Here is an incomplete list of reports we are interested in:
Cross-site scripting (XSS)
Directory traversal
Privilege escalation
Server-side remote code execution or command injection
SQL or NoSQL injection
Access control bypass
Disclosure of secret access tokens (sk.*) by Mapbox systems other than when they are instantly generated on mapbox.com. Note that reports about the disclosure of public access tokens (pk.*) are ineligible.
Presence of Mapbox staff secret tokens (sk.*) on the public internet, as determined by Mapbox. Presence of Mapbox customer secret tokens on the public internet are ineligible.
Ineligible reports or known issues
The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.
Social engineering of Mapbox staff, contractors, or customers
Session management issues
Reports from automated tools or scans
Issues related to software or protocols not under Mapbox's control
Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigation against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.
HTML or CSS injection in map markers or map features - this is by design so that our users can have rich, styled maps. We sanitize JavaScript and arbitrary code using sanitize-caja. We are interested in reports about the execution of JavaScript though!
Presence of autocomplete on form fields, including username and password fields
SPF, DKIM, or DMARC settings
Password and account recovery policies, including password reset emails and password reset links
Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings
email spoofing
DNSSEC settings
Presence of public (pk.*) access tokens in web pages or URLs - due to their use in client-side JavaScript these are public by design.
Presence of sk.* access tokens with non-staff and non-admin privileges in web pages or URLs or in deleted or archived GitHub repo's.
Username enumeration, including an oracle that discloses whether a given username or email address is associated an account
Reports of CSRF or reports of a lack of CSRF tokens on wwww.mapbox.com, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigation in place.
Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence
Existence of access-controlled administrative pages
Reports related to the SSL/TLS certificate for www.mapbox.com. Please report instead to the Fastly security team.
Open redirects
Use of a library with known vulnerabilities (without evidence of further exploitation)
Vulnerabilities only affecting older browsers. Please see our documentation on browser support. Any reports related to Internet Explorer 7 will be marked as ineligible.
HSTS or CSP headers
Clickjacking or UI redressing on maps or features intended to be embedded in other pages such as those from the api.tiles.mapbox.com or api.mapbox.com domains. Mapbox customers often embed their maps on their pages using the iframe element.
Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit
Any resources which happen to contain mapbox in their name but are not owned Mapbox. For example, if an S3 bucket named mapbox-test was discovered and reported with a vulnerability, and we determine it is not owned by Mapbox, it would be considered ineligible.
Issues related to buying subscription without paying is currently out of scope from our bug bounty program.
Ineligible for monetary bounty, but appreciated
The following reports are ineligible for a monetary bounty due to their low severity though they may be available for reputation points. If accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Mapbox's discretion.
Mixed content
Self-XSS

Pages: 1 2 [3] 4 5 ... 24