submit bug report: https://whitehat.olacabs.com/

Bug Bounty Program Information
The Ola Bug Bounty Program ("Program") is designed to encourage security researchers to find security vulnerabilities in Ola's software and to recognize those who help us create a safe and secure product for our customers and partners. The Program is operated and facilitated by ANI Technologies Private Limited and its affiliates (together "Ola").

If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible.We will investigate the submission and if found valid, take necessary corrective measures. We may request you for additional information regarding the vulnerability(ies), for which you will cooperate in providing. We request you to review our bug bounty policy as mentioned below along with the reporting guidelines, before you report a security issue. By submitting any information to us, you agree to be bound by these terms and conditions ("T&Cs").

To show our appreciation for the security researchers,we offer a monetary reward/ goodies for all valid security issues based on the severity impact and complexity of the same, the individual will also be given a honourable mention in our Hall of Fame.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your Ola account / complaints, please reach out to customer support

Reporting security issues
Go to the Report a Vulnerability page to report security issues related to our applications.

Rewards
We offer monetary rewards for security issues which meet the following criteria:

The minimum monetary reward for eligible bugs is 1000 INR. All reward amounts, once communicated by Ola, are non-negotiable.
We may reward only with awesome goodies depending on the severity of the vulnerability.
Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honored on the Hall of Fame page.
Rewards are decided based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola Bug Bounty panel.
* All the monetary rewards mentioned on this page are in Indian Rupees (INR).

Responsible disclosure & reporting guidelines
You are bound by utmost confidentiality with Ola. You will not publicly or otherwise disclose any information regarding a bug or security incident without Ola’s prior approval.
Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
You will not access any data/internal resources of Ola as well as the data of our customers without prior approval from the Ola security team.
You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Responsibility at our end
We will be fast and will try to get back to you as soon as possible.
We will keep you updated as we work to fix the bug you have submitted.
The Hall of Fame will be updated only once the vulnerability has been fixed.
Targets in scope
*.olacabs.com
*.olamoney.com
*.ola.foundation
*.olaelectric.in
*.mission-electric.in
*.ola.institute
Ola Cabs mobile app ( Android | iOS )
Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
Ola Money mobile app ( Android | iOS )
Ola Operator mobile app ( Android )
Ola Partner mobile app ( Android | iOS)
Out of Scope Targets
All the sandbox and staging environments are out scope.
All external services/software which are not managed or controlled by Ola are considered as out of scope / ineligible for recognition.
Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.
Eligibility
Prerequisites to qualify for reward or recognition:

Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward or recognition.
Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
This program is applicable only for individuals not for organizations.
Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
In scope vulnerability examples
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.

Example of such bugs are:

Cross-Site Scripting (XSS)
Sql Injection
XML external entity (XXE) injection
Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)
Cross-Site Request Forgery (on sensitive actions)
Broken Authentication / Authorization
Broken Session flaws
Remote Code Execution (RCE)
Privilege Escalation
Business Logical flaws
Payment Related Issues
Misuse/Unauthorized use of our APIs
Open Redirects (which allow stealing secrets/tokens)
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:

Clickjacking
Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
Spamming (e.g. SMS/Email Bombing)
Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
Login - Logout cross-site request forgery
Self XSS
Presence of server/software banner or version information
Stack traces and Error messages which do not reveal any sensitive data
Third party API key disclosures without any impact or which are supposed to be open/public.
OPTIONS / TRACE HTTP methods enabled
Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
Missing Cookie Flags (e.g. HttpOnly, secure etc)
Host Header Injection
Broken Links (e.g. 404 Not Found page)
Known public files or directories disclosure (e.g. robots.txt, css/images etc)
Browser ‘autocomplete’ enabled
HTML / Text Injection
Forced Browsing to non-sensitive information (e.g. help pages)
Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
DNS issues (e.g. Missing CName, SPF records etc.)
End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
Coupon Misuse
Brute force on forms (e.g. Contact us page)
Brute force on “Login with password” page
Account lockout not enforced
CSV injection
Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
Rate limit mechanism bypass
Kiosk mode / Screen pinning bypass
Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
Bypassing root/jailbroken detection
SSL Pinning bypass
Tapjacking
Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Ola’s infrastructure by providing a proper proof of concept
Bug which Ola is already aware of or those already classified as ineligible
Terms and Conditions
By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:

You shall abide by all the applicable laws of the land. Ola will not be responsible for any non-adherence to applicable laws on your part.
You shall not engage in any confidentiality or privacy breaches or violations, destruction, removal or amendment of data (personal or otherwise), or interruption or degradation of our services during your participation in this Program. In case of any breach or violation, Ola reserves the right to ban you from the Program and/ or take legal action.
Eligibility for reward or recognition is at the discretion of Ola.
Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
Threatening of any kind will automatically disqualify you from participating in the program.
All the communications with Ola related to this program are to remain fully confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed. Failure to do so shall constitute a material breach of these T&Cs.
Ola reserves the right to discontinue the responsible disclosure program at any time without notice.
You may only investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
Vulnerabilities which Ola determines as accepted risk will not be eligible for any kind of recognition.
Any solutions, recommendation or suggestions, including any intellectual property contained therein, provided by you to Ola under this Program, shall immediately transfer to Ola without any limitations or exceptions, and once communicated to Ola you waive all rights, title, ownership and interest therein. If requested, you shall provide Ola with appropriate documentation to formalise any such transfer or assignment.
Changes to Program Terms
The Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program T&Cs and/or its policies at any time by posting a revised version on our website. By continuing to participate in the bug bounty program after Ola posts any such changes, you implicitly agree to comply with the updated Program terms

Program Termination
In the event you breach any of these T&Cs or any other Program terms that Ola releases, Ola may immediately terminate your participation in the Program and/or take any further legal actions as necessary. In some cases all your previous contributions may also be invalidated.

Legal points
We shall not issue reward or recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action. Ola does not commit to any compensation other than as outlined in these T&Cs or as communicated to you at the time of your submission. Ola shall not be liable to make any payments or rewards towards you in any other circumstances. Ola shall also not be liable in the event of delayed response to you for any submission.

Testing using Tools
Don't be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Ola bug bounty program.

submit bug report: https://mailchimp.com/about/security/

As a company that takes data security and privacy very seriously, we recognize that Mailchimp’s information security practices are important to you. While we don’t like to expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.



Data Center Security
Mailchimp delivers billions of emails a month for millions of users. We use multiple MTAs, placed in different world-class data centers around the United States.
Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about.
We have DDOS mitigation in place at all of our data centers.
We have a documented "in case of nuclear attack on a data center" infrastructure continuity plan.


Protection from Data Loss, Corruption
All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other.
Account data is mirrored and regularly backed up off site.


Application Level Security
Mailchimp account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
All login pages (from our website and mobile website) pass data via TLS 1.2 or higher.
The entire Mailchimp application is encrypted with TLS 1.2 or higher.
Login pages and logins via the Mailchimp API have brute force protection.
We perform regular external security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.


Internal IT Security
Mailchimp offices are secured by keycard access and biometrics, and they are monitored with infrared cameras throughout.
Our office network is heavily segmented and centrally monitored.
We have a dedicated internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes OSCP and CISSP certified members.


Internal Protocol and Education
We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
In order to protect our company from a variety of different losses, Mailchimp has established a comprehensive insurance program. Coverage includes, but is not exclusive to: coverage for cyber incidents, data privacy incidents (including regulatory expenses), general error and omission liability coverage, excess cyber liability coverage, property and business interruption coverage, as well as international commercial general liability coverage.


SOC II Compliant PCI DSS Certification
Mailchimp's credit card processing vendor uses security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives, including the Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC). We also perform annual SOC II audits.

We provide our SOC II Report upon request. Please click the ‘Request Report’, and include any additional questions you may have.

Request Report



ISO 27001 Certification
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touchpoint audits (surveillance audits).

Download ISO certification



Protecting Ourselves Against You
Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Mailchimp account, that's not good for either of us.

We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
We monitor accounts and campaign activity for signs of abuse.
In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
We provide the ability to establish tiered-levels of access within accounts.


Investing in Your Privacy
Our Legal team partners with our developers and engineers to make sure our products and features comply with applicable international spam and privacy laws.
We retain a law firm in the UK to consult on EU privacy issues.
We undergo annual verification with a U.S. based third party-outside compliance reviewer under the Privacy Shield verification program, and we have certified our compliance with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks.
We are members of the ANA, ESPC, OTA, and MAAWG.
Our corporate attorneys and Legal Compliance Manager are active members of the International Association of Privacy Professionals (IAPP) and collectively hold the certifications of CIPP/US, CIPP/G, and CIPP/E.


Responsible disclosure program
Mailchimp is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving Mailchimp services.

Responsible disclosure guidelines
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:

Do

Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't

Don’t cause harm to Mailchimp, Intuit, its customers, shareholders, partners or employees.
Don’t engage in any act that may cause an outage or stop any of Mailchimp’s services.
Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
Don’t store, share, compromise or destroy any Mailchimp data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Mailchimp.
Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Out-of-scope vulnerabilities

The following types of vulnerabilities are out of scope for this program:

Phishing
Social engineering
Physical security assessments
Any form of denial of service (DoS) attack


Submission Guidelines
All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.

By following these guidelines and responsibly disclosing any security weaknesses directly to Intuit, we agree not to pursue legal action against you. Mailchimp reserves its legal rights in the event of noncompliance with program guidelines.

Mailchimp will review and promptly acknowledge any submitted issue within three business days of submission through its web form, found here: Responsible Disclosure Form

submit bug report: https://bugcrowd.com/indeed

Our Mission:
At Indeed, our mission is to help people get jobs.

Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.

Indeed may award an additional reward bonus for exceptional reports. This will be done at Indeed’s discretion. Good luck, and happy hunting!

Testing Requirement
Create your Job Seeker and Employer accounts with a +bugbounty to avoid moderation locking your account for suspicious activity. Example: researcher+bugbounty@bugcrowdninja.com

Include bugbounty in the company title you create and do not attempt to misrepresent yourself as a real company.

Where possible, add text bugbounty to requests you are sending to our applications, so our team can identify the traffic being generated as part of your testing.

Program Ground Rules
Respect our users' privacy.
Leave the Site as you found it.
Don't violate our Terms of Service or the law.
Don't impact our services.
No interacting with others.
Cooperate with Indeed.
Participation Eligibility.
Follow Bugcrowd's rules.
Respect our users’ privacy.
If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Indeed. To participate in this program, you only need to explain the technical vulnerability you discovered.

You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through this research. If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.

Leave the site as you found it.
Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our site during your research, except to report your research to Indeed.

Don't violate our Terms of Service or the law.
All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws.
In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, New York Privacy Act 2021, once they become effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors.

Don't impact our services.
You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be blocked and removed from the program.

No interacting with others.
Any form of interaction with others on or through our Site, including but not limited to other Indeed users, is strictly prohibited. Close any active test jobs immediately after testing. Do not make any attempts to phish users or employees.

Cooperate with Indeed.
You will be expected to cooperate with us if we request your assistance in connection with your research.

Participation Eligibility.
Current employees or contractors of Indeed are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if:

they have left Indeed more than 1 year prior to submission, and
they are not making use of, or referring to, any non-public Indeed information obtained when they were an employee or contractor.
Follow Bugcrowd’s rules.
This program follows Bugcrowd’s standard disclosure terms.

Severity, Rewards & Reporting
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified using the methodology defined below. In an instance where an issue is downgraded, Indeed will try to provide a detailed explanation to the researcher - along with the opportunity to appeal, and make a case for a higher priority. However, the final discretion remains with Indeed.

When we are determining severity, the following descriptions are not meant to be absolute categorizations. Severity depends on potential damage to the business and clients, ease of abuse, how much we can actually fix, size of the user base, and sensitivity of the data. Note: A high severity finding on a demo application may be a P4 due to the low impact and non-sensitive data.

When we are determining rewards within a severity range, the difference between, for example, a High-P1 ($10,000) and a Low-P1 ($4,000) would depend on the number of prerequisites required, the difficulty, the impact and the likelihood of exploitation.

For those reasons, we recommend providing:

An attack scenario: what is the most likely way an attacker actually abuses said vulnerability.
Clear, numbered reproduction steps: if we can't easily reproduce what you are describing, we may misinterpret the issue or severity.
A video PoC: for more complicated exploits.
Impact: your understanding of the impact to Indeed or its users if an attacker exploits the said vulnerability
Recommended fix: if you have any good ideas on ways to mitigate the risk without impacting normal users, it would be appreciated.
Severity   Description   Examples
P1   Vulnerabilities on Indeed applications that have the potential to: (1) affect most users, (2) disclose highly sensitive data, or (3) have a high impact on business operations.   RCE on backend systems, authentication bypass leading to account compromise, privilege escalations from unprivileged to Admin or cross-organizational lateral movement, sensitive data exposure of Job Seeker or Employer PII
P2   Vulnerabilities that have the potential to: (1) affect many users, (2) disclose sensitive data, (3) could lead to reputational or substantial business loss, or(4) affect the security or availability of individual processes or services.   Stored XSS, exposed API credentials, subdomain takeovers on *.indeed.com
P3   Vulnerabilities that can affect multiple or individual users with little to no user interaction, or only have security implications within an organizational context.   Reflected XSS, Intra-organizational privilege escalations, misconfigured CORS.
P4   Issues that affect multiple or individual users and may require user interaction or significant prerequisites to exploit. The potential business or user impact is likely low, or sensitivity of the data considered to be low.   URL Redirects, Debug information, Some Intra-organizational privilege escalations.
BugCrowd Vulnerability Rating Taxonomy (VRT) Exceptions
Some types of issues do not present a significant enough risk to Indeed, and are usually not accepted. Any submission of these types will only be rewardable if significant risk and impact can be demonstrated.

HTML injection
Self-XSS
Vulns only exploitable on out of date browsers or platforms
Information disclosure with minor security impact (pathing, stack traces, etc.)
SPF/DMARC/DKIM record missing on a domain
Vulns that require physical access or root accounts
Helpful Tips For Your Testing
Different Accounts Types and Roles: Job seekers and employer accounts have access to different features and views. You may want to set up test accounts as both. Organizations can have multiple employer accounts, each with different RBAC defined roles. See https://indeed.force.com/employerSupport1/s/article/206589143?language=en_US to learn more.
Group similar submissions: We ask that researchers who are able to identify the same or similar types of issues in multiple locations, across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified.
Localization: Indeed is an international company with many different subdomains for different countries, running the same applications in different languages, example: mx.indeed.com, ca.indeed.com, in.indeed.com, vn.indeed.com. Localized versions can share the same codebase and therefore, a vulnerability found on many may only be eligible to be rewarded once.
Third party applications: For third party applications, such as Wordpress, they will only be eligible for reward if there is action Indeed can take to mitigate issues identified, A good example of something we wouldn't payout for is the output of WPScan showing recently out of date plugins, since regular patching is part of our WP management. An example of something we would payout for is a POC showing unintended behavior that isn't in a vendor patch.
Disclosing results: This bounty requires explicit permission to disclose the results of a submission.
Documentation: Developer API portal & documentation: https://developer.indeed.com/

submit bug report: https://support.guilded.gg/hc/en-us/articles/360039728333-Contact

Support - Support@guilded.gg
If you have any questions or need assistance with anything that you couldn't find in our Help Center, feel free to reach out to our support team.
Feedback - Feedback@guilded.gg
We appreciate your suggestions and ideas for improving Guilded. If you have any feedback to share, please send it to this email address.
Partners - Partners@guilded.gg
For existing, former, or prospective Guilded Partners, you can contact us at this email address for any inquiries or assistance related to partnerships.
Security - Roblox on hackerone
To report any vulnerability disclosures or security concerns

Press - Press@guilded.gg
For press inquiries or media-related matters, please reach out to us at this email address.
Contact - Contact@guilded.gg
For general or business inquiries you can contact us through this email address.
 
 

submit bug  report: https://bugcrowd.com/foxycart

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Foxy. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. We appreciate the community's efforts in creating a more secure world.

No technology is perfect, and we at Foxy believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Exclusions
While researching, we'd like to ask you to refrain from:

Denial of Service attempts
Spamming
Social engineering (including phishing) of Foxy staff or contractors
Any physical attempts against Foxy property or data centers
Thank you for helping keep Foxy.io/FoxyCart.com and our users safe!

Before You Begin
Please read and follow the rules in the Standard Disclosure Terms.
Please review our blog post about submitting helpful reports.
Review the "Out of Scope" section below.
Please review the "Known Issues" below.
What, Where, and How to Test
At its simplest, FoxyCart works by adding products to a /cart endpoint via GET or POST request. Click here for some examples on our homepage.

To do more in-depth testing and create your own account:

Create an account at https://admin.foxycart.com/signup/.
When creating your account, please use the following format:
When creating your store's subdomain, please use the following format:
userame-bugcrowd
Example bugcrowd_01-bugcrowd.foxycart.com.
Test as desired. You can use the default Authorize.net gateway test account and the test credit card 4111 1111 1111 1111 to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
Create an API client at api-sandbox.foxycart.com or from the "integrations" page in the admin. The API uses Oauth 2.0, and can handle nearly every request that admin.foxycart.com can.
Please do not use automated scanners or aggressive scripts.

DO NOT REPORT Known Issues & False Positives
DMARC, DKIM, or SPF records missing on domains or subdomains.
DROWN ATTACK NOTE: (2016-03-02) Don't report that we're vulnerable to DROWN unless you can show an IP and domain that match what you're attempting, and that are actually vulnerable. The DROWN test tool isn't giving you the info you might think it's giving you.
BREACH Attack: Unless you can confirm our mitigation approach at admin.foxycart.com isn't sufficient, please do not report this.
Session persistence after logout.
For admin.foxycart.com: If you believe you can reuse a logged in cookie after a logout, please confirm you can replicate it. This has been reported a few times in error, so we'll need a screencast, details of the requests/responses, AND confirmation that you've been able to replicate it (with detailed steps) before we will spend time attempting to reproduce this.
For admin.foxy.io: This is a known issue and excluded from our bug bounty program.
SSRF: Our cache endpoint (which caches images and is publicly accessible) and our template caching (available in the admin) make outbound GET requests. Similarly, other functionality may make outbound requests (webhooks, tax systems, etc.). This is by design. We'll only accept SSRF reports if you can demonstrate accessing internal or otherwise privileged access.
CSRF: If you report a CSRF issue and you include a valid CSRF token in your POC... Please just don't do that.
Automated Scanning Tools: Don't just blindly report whatever your tool reported. It'll waste our time and yours if you don't verify it's an actual issue.
Moving on…

The most important thing to note is how FoxyCart works. Please don't report the following behavior:

Products can be added via a GET or POST, and a product's name, price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms.
These requests can be submitted to SSL from a non-SSL page.
The templates (cart, checkout, receipt, email) can include whatever javascript the user would like. Again, this flexibility is by design.
The following finding types are specifically excluded from the bounty:

General issues:

Self-XSS and issues exploitable only through Self-XSS.
Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
Clickjacking headers not present on some of our subdomains.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
Presence of application or web browser 'autocomplete' or 'save password'.
Disclosure of known public files or directories, (e.g. robots.txt).
Banner disclosure on common/public services.
No Strict Transport Security (HSTS) headers set.
Normal OPTIONS responses.
Some domains do not have proxy protection.
cache.php will cache/load images from 3rd-party domains. This is by design. (See the note about SSRF above.)
Some forms do not have rate limiting / brute-force protections. (Please don't automate a ton of contact forms or anything.)
Lookalike domains exist that we don't own or are unregistered.
Host Header validation/injection, unless you have a demonstrable exploit. (Please don't submit host header redirection issues.)
Admin-related issues:

NEW ADMIN at admin.foxy.io: We're currently only accepting security-related bug reports.
3rd-party scripts are loaded within the admin.
Account creation at admin.foxycart.com does not have captcha or email validation.
Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user, but you'll still get a 200 response. Also, we do IP-based blocking in certain other cases.)
Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced. (Again, there's enforcement in some areas, and we're aware of others already.)
Password resets...
Indicate whether an account exists or not.
Don't generate an additional email to the admin user.
Are sent via a link that's Base64 encoded.
That link shows in the referrer header when loaded in the Foxy admin.
Aren't rate limited.
Aren't expired on email change.
Admin email changes happen without an email confirmation.
There's no maximum password length. This is not a DoS issue.
Admin sessions are not invalidated on… certain events. In the situations where sessions aren't invalidated, this is a known issue. (Similarly, we don't support MFA yet, and don't have robust "suspicious" login detection. We're working on that.)
Admin does not require re-authentication on certain actions.
Logout Cross-Site Request Forgery (logout CSRF).
Clickjacking is possible in certain old browsers that don't support X-Frame-Options-Header but do support TLSv1.1+.
There exists an edge case where it's possible to change an admin password without providing the original password. We are aware and working to diagnose. (If you can reliably reproduce, that'd be a valid submission. Otherwise it's a known issue.) (There exists another way to do this that we can reproduce, related to the password reset email URL. This is a known issue.)
Generated CSVs may allow for Excel-specific functions to be output.
RC4 encryption is used in legacy webhook systems.
Cart and Checkout issues:

Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
Cart requests do not require CSRF or have other protection (aside from the HMAC signing mentioned above).
The ability to modify product parameters in a link or form, if the account has the HMAC signing functionality disabled. (Again, as mentioned above.)
Clickjacking headers (and/or other mitigating precautions) not present on some of our subdomains.
The session-specific referrer header can be manipulated, and is output to customers in certain situations.
Password resets (and customer logins) indicate whether an account exists or not.
It's possible create a duplicate customer account with an existing email under very specific circumstances.
Networking and infrastructure:

Host Header injection/modification/redirects. We're aware.
It's possible to reveal an internal IP address if you modify a redirected request. This is an AWS ELB/ALB thing, and the IP revealed is not one of ours.
Open redirect on the store's *.foxycart.com subdomain (or custom domain) without a /cart parameter, redirects to the configured store URL.
A Note about XSS
Please note: If you've identified an XSS issue (especially on on our www site), please make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self-XSS, and an invalid submission.

A Note about CSRF
We get a lot of CSRF reports that include the CSRF token in the proof of concept. Before reporting CSRF, make sure you actually understand what CSRF is, because if you include the CSRF token in your POC, it's just a waste of your time and ours.

Out of Scope: Other _.foxycart.com or _.foxy.io Domains
Foxy customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself. Please don't test our users.

For vulnerabilities found at the following subdomains, we make a distinction between the underlying system and our own modifications. For example, we use Dokuwiki for our wiki. If you find a security issue in our implementation of Dokuwiki, that may be valid and eligible for a reward from us. But, for instance, an issue with Dokuwiki itself should be reported to them.

www.foxy.io uses Grav CMS
www.foxy.io/blog uses Wordpress
Please note that reports about xmlrpc.php being present are excluded from our program.
wiki.foxycart.com uses Dokuwiki
affiliate.foxycart.com uses iDevAffiliate
support.foxy.io uses HelpJuice