1. Responsible Disclosure Policy
Effective disclosure policy requires mutual trust, respect, and transparency between the security researchers and our security team.
- We request you to report any bug as soon as you discover. We request you not to do any public disclosure before it has been fixed. We will confirm acknowledgment within 48 working hours of submission.
- Keep the information about the vulnerability discovered confidential till we have resolved the problem.
- Avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Avoid using testcases or vulnerability testing tools that generates significant volume of traffic or disrupt our services.
- Refrain from accessing other user’s account or data without permission.
- Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
- Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and might result in suspension of your user account / IP Address.
- We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
- The vulnerability must be original and previously unreported. The first reporter will have the benefit of the reward.
- Any Improper public disclosure/ misuse of information will entitle us to take appropriate legal action.
The following domains and apps are within the scope of the program:
3. Bounty Program
We reward reports based on their severity on a case by case basis upon careful validation by our security team. We pay different reward amount for critical, medium severity, and low risk bugs. We may also offer swags for bugs based on its severity.
Please refer to our bounty statistics to understand minimum, average, and top bounty amount that we have paid in the past. We will keep updating our bounty amount from time to time.
4. Non-Qualifying Vulnerabilities
Some of the bugs may not qualify because of low impact. Here we have listed down common low risks issues that do not qualify for bounty :
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- SPF Misconfigured
- Version disclosure
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack.
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers
Thank you for keeping Safehats secure by disclosing security issues to us