Please submit a detailed report of your research while following our guidelines below.
If you believe you have found any security (technical) vulnerability in our products or services, you are welcome to submit a vulnerability report to “firstname.lastname@example.org“.
In case of reporting any security vulnerability/Issues, please ensure that you have included following information (Qualified Reporting):
1) The main URL where the vulnerability is located.
2) A detailed description with necessary screenshots.
3) Versions of web components related to the vulnerability (browser, OS, APP version, etc.).
4) Steps to reproduce the vulnerability and your advice to fix it.
5) Tools used while performing the test
6) Any other useful information that you think we must know.
PLEASE STICK TO THE DOMAINS AND SUB-DOMAINS THAT ARE LISTED IN THE SCOPE.
We will review and respond as quickly as possible to your submission, and keep you informed as we work to fix the vulnerability/issue you submitted(Valid bugs). Based on the research report that you submit to us, We will include your name in our Hall of fame(HOF).
We may contact you for further information if necessary.
The main categories of vulnerabilities that we are sincerely looking for are:
1) Cross-site Scripting (XSS)
2) Cross-site Request Forgery (CSRF)
3) Server-Side Request Forgery (SSRF)
4) SQL Injection
5) Remote Code Execution (RCE)
6) XML External Entity Attacks (XXE)
7) Access Control Issues (Insecure Direct Object Reference issues, etc.)
8) Exposed Administrative Panels without strong protection
9) Directory Traversal Issues
10) Local File Disclosure (LFD)
11) User Sensitive Information Leakage
12) Any other issue that you think is important
1) Vulnerabilities affecting users of outdated browsers or platforms: IE < 9, Chrome < 40, Firefox < 35, Safari < 7, Opera < 13
2) “Self” XSS
3) Missing cookie flags
4) Mixed content warnings
5) SSL/TLS best practices
6) Clickjacking/UI redressing
7) Reflected file download attacks (RFD)
8) Physical or social engineering attacks
9) Unverified Results of automated tools or scanners
10) Login/logout/unauthenticated/low-impact CSRF
11) Issues related to networking protocols or industry standards
12) Missing security-related HTTP headers which do not directly lead to a vulnerability