Our Responsible Disclosure Program aims to foster collaboration with security researchers to identify and address potential vulnerabilities in our systems, ensuring the security and privacy of our users and customers. We appreciate the efforts of researchers who responsibly report security issues and adhere to the guidelines outlined below.
Scope: The scope of our program includes all publicly accessible web assets owned and operated by our organization. This encompasses:
- All web applications
- APIs
- Mobile applications
- Backend infrastructure
Out of scope Asset:
What to Do:
- Conduct thorough testing within the scope outlined above.
- Report any identified vulnerabilities promptly and responsibly via email to [email protected] with the subject line prefixed with “Security Vulnerability Report”.
- Provide detailed information on the vulnerability, including steps to reproduce, impact, and any potential mitigations.
- Allow a reasonable amount of time for our security team to investigate and address the reported vulnerability before publicly disclosing it.
- Respect the privacy and confidentiality of our users and their data throughout the disclosure process.
What Not to Do:
- Do not attempt to exploit vulnerabilities beyond what is necessary for testing.
- Do not access, modify, or delete data that does not belong to you.
- Do not engage in any activity that may disrupt our services, including DDoS attacks.
- Do not publicly disclose the vulnerability before receiving confirmation from our security team.
- Do not perform automated scanning without explicit permission.
Top 10 OSWAP Vulnerabilities in Scope:
- Injection (e.g., SQL injection, LDAP injection)
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Out of Scope:
- Physical security vulnerabilities
- Social engineering attacks
- Denial of Service attacks
- Third-party applications not owned or operated by our organization
- Anything not directly related to our web assets
- All the vulnerability types that are not mentioned above.
Do No Harm:
- Under no circumstances should any actions taken during testing harm our systems, customers, or users.
- Always use non-destructive testing methods.
- Handle any sensitive data encountered during testing with the utmost care and confidentiality.
Subject: Security Vulnerability Report - [Brief Description]
Researcher: [Your Name]
Date: [Date of Report]
Description:
[Provide a detailed description of the vulnerability, including steps to reproduce, impact, and any potential mitigations.]
Proof of Concept:
[Include any relevant code snippets, screenshots, or videos demonstrating the vulnerability.]
Disclosure Timeline:
[Specify when the vulnerability was discovered, when it was reported, and any subsequent communications.]
Thank you for your attention to this matter.
Sincerely,
[Your Name]
Contact Information: For inquiries related to our Responsible Disclosure Program or to report a vulnerability, please get in touch with our security team at [email protected].
We may offer T-shirts and other gadgets as a swag to reports from 8-10 CVSS. Also, currently, the SWAG is only for Pakistani researchers.
Hall of Fame Acknowledgment:
We extend our heartfelt appreciation to the following individuals for their valuable contributions to the security of our systems through our Responsible Disclosure Program. Their dedication to identifying and responsibly reporting vulnerabilities has been instrumental in safeguarding our users’ data and ensuring the integrity of our platforms.