Before getting to the fun stuff, a quick word from the boss.
Whilst we can’t wait to see what you will find, please take care when testing! We want you to have as much freedom as possible to test how you see fit but naturally if a service went down, alarm bells start ringing! If you believe you’ve found an issue but are worried that further exploitation might impact the service you’re testing, just compile all the information you have in your report and we can do any further tests we see fit. Note, this doesn’t mean reporting for the sake of reporting, you’ll need some form of evidence to back up the claim! On the subject of reporting…
Reporting is super important! When you submit your report please include as much information as possible. That way we can narrow things down a lot quicker and get you rewarded faster. Also, even worse if it’s not clear in the report, it could be marked as a non-issue which isn’t fun for anyone!
Ideally, we would like you to include the following at a minimum:
• Issue description
• Affected hosts/ports
• Potential Impact
• Screenshots, Videos and/or general PoC
If possible, a step-by-step reproduction of the issue is ideal as it allows us to emulate the scenario you found the issue in as closely as possible.
What Do We Want?
From a high-level perspective, we have 5 categories:
• P1 – The kind of issues that keep us up at night
• P2 – The high-risk issues that should be fixed pronto
• P3 – Not necessarily the end of the world, but should be fixed
• P4/P5 – The ‘nice to know about’ kind of issues
Naturally we are most interested in the P1’s and P2’s as they have the biggest potential for impact. However, we still want to hear about the others! Especially if you can take something that sounds like a P4 and expand the attack into something higher.
Providing it’s in-scope, we are interested in any and all attacks in P1, P2, P3.
For now, if it’s a P4 or a P5 we won’t pay for it but that doesn’t mean they are off the table. If you use anything mentioned in P4, P5 to facilitate some creative exploitation, you’ll be rewarded accordingly!
Out of Scope
The following issues are already known to us and are considered Out of Scope:
- Subdomain Hijacking/Takeover
- User Enumeration
- No Rate Limiting on forms
- xmlrpc.php presence. Yes, we use wordpress
- Mass vulnerability scanner output
- clickjacking or UI redress unless you can prove it to be used to gain access to sensitive data
- Server misconfigurations unless you can prove it is not a false positive
In addition, the following are Out of Scope too:
- Social Engineering
- Associated 3rd parties and 3rd party-hosted content
- Application Layer DoS/DDoS Vulnerabilities
We would much rather have solid proof of concepts/evidence than advice or non-PoC enhancements.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls conducted in good faith; and
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research and we waive those restrictions on a limited basis for work done under this policy.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.