HORANGI CYBER SECURITY

Bug Bounty Program (BBP)

Submit a Bug
Bug bounty graphic
While Horangi provides a range of services and products, ranging from our web hosted vulnerability scanner, to our incident response tool, Hunter/Gatherer. In addition to these, we provide security assessment, security hardening, incident response, and security training. However, as we focus outwards to protect others from harm, we might forget to look inward and neglect our own protection.

To ensure that Horangi's platform, products and services are secure, we are establishing a Bug Bounty Program (BBP) that allows the wider cybersecurity community to submit any vulnerabilities that they may have identified on our online portals and or website.

YOUR SCOPE

Horangi possesses a wide range of services and products, ranging from our web hosted vulnerability scanner, to our incident response tool, Hunter/Gatherer. In addition to these, we provide security assessment, security hardening, incident response, and security training. However, as we focus outwards to protect others from harm, we might forget to look inward and neglect our own protection.


For the scope of the BBP, we at Horangi welcome any discoveries regarding the following:

BOUNTY RULES

Currently our bug bounty program is in the process of being set up, but we would love to hear from you.
Bug bounty graphic
If you believe you have identified a security vulnerability on Horangi, we encourage you to notify us right away. We will investigate all legitimate reports and do our best to quickly fix the problem. While we do not have a structured bug bounty program yet, we will award loot, like a sweet Horangi shirt. Cash rewards are being considered.

How Horangi finds out about new vulnerabilities
Horangi has an internal team doing periodic testing, with bug fixes scheduled and prioritized by severity. We also curate vulnerabilities found or reported elsewhere on the web, as well as doing our own research to uncover previously unknown vulnerabilities.


DISCLOSURE PROGRAM

Program Terms
Horangi recognizes and rewards security researchers who help us keep people safe by reporting vulnerabilities in our services. Bounties, either in loot or monetary form, are awarded at Horangi's discretion. Based on risk, impact, and other factors. To potentially qualify for a bounty, you must first meet the following requirements:
  • Adhere to Horangi's Responsible Disclosure Policy:
  • If you comply with the policies below when reporting a security issue to Horangi, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that: a) You give us reasonable time to investigate and mitigate the reported issue before making public any information about the report,or sharing such information with others. b) You do not interact with an individual account (which includes modifying or accessing data from the account), if the account owner has not explicitly provided consent towards such actions. c) Your actions, on good faith, does not (and will not) cause privacy violations and disruptions to others. Including (but not limited to) the destruction or manipulation of data, and the interruption or degradation of our services. d) You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues). You do not violate any other applicable laws or regulations.

  • Report a security bug; Identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Horangi reserves the right to determine the risk of an issue, and that many software bugs are not security issues).
  • Certain types of potential security issues are excluded, these are listed under the section titled “What does not qualify?”
  • Submit your report to bugbounty@horangi.com (one issue per report) and provide follow up reports regarding any updates. Please do not contact employees directly, or through other channels about a report.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose any and all instances in your report.

alert icon

SOME DONT'S
  • Do not attempt to gain access to another user's account or data.
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Do not perform any attack that could harm the reliability/integrity of our services or data. For example, DDoS/spam attacks.
  • Do not publicly disclose a bug before it has been fixed and without our consent.
  • Do not impact other users with your testing.
  • Do not use scanners or automated tools to find vulnerabilities.

WHAT DOES NOT QUALIFY?
Items not defined in the Scope section of the document do not qualify. Certain types of potential security issues are excluded from the bounty program. These include:
  • Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.
  • Duplicate issues already known,scheduled for a fix, or have been determined by Horangi as acceptable risks.
  • Bugs requiring exceedingly unlikely user interaction.
  • Bugs that will lead to unconvincing phishing attacks.
  • Missing security enhancement or best practices such as:
    1. Insecure cookie settings for non-sensitive cookies.
    2. Browser headers that do not apply in the application context.
  • Disclosure of public information and information that does not present significant risk.
  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
  • Bugs in content or services that are not owned/operated by Horangi.
  • Scripting or other automation and brute forcing of intended functionality.
  • Zero day attacks on third party portions of the application within 30 days of disclosure.

COMPENSATION & RECOGNITION

Should the discovery prove to be valuable to Horangi’s services and products, he/she will be provided with compensation fitting the submitted information. The table below outlines the category of bug identified and the type of compensation recommended (See Table 1). The act of identifying a vulnerability requires time and patience from the contributor. Therefore, it is recommended that Horangi creates a “recognition page” or “Hall-of-Fame”, where the contributions can be recognized.
TABLE 1. CATEGORIZATION OF BUGS & RELEVANT COMPENSATIONS
Level of Severity Type of Vulnerability Identified Compensation Offered
CAT 1
(High - Critical)
Remote Code Execution
(Command Injection, Deserialization Bugs, Sandbox Escapes)
Unrestricted file system or Database access
(Unsandboxed XXE, SQL Injection)
  • Monetary Prize (USD 200 - 1000)
  • Horangi Trinket
  • Certification of Gratitude
  • Letter of Acknowledgement
CAT 2
(Medium)
Logical Flaw Bugs leaking or bypassing significant security controls
(Direct object reference, remote user impersonation)
  • Monetary Prize (USD 100 - 300)
  • Certification of Gratitude
  • Letter of Acknowledgement
CAT 3
(Low)
Execute code on client side
(WebL Cross-Site Scripting)
Other Valid Vulnerabilities
(WebL CSRF, Clickjacking)
  • Horangi Shirt or Mug
  • Certification of Gratitude
  • Letter of Acknowledgement
CAT 4
(Recognition of Efforts)
High issues already reported before, or pending fixes
  • At Horangi's Discretion

SUBMISSION PROCEDURE

Submission graphic
Check that the vulnerabilities you report are within the scope (horangi.com, app.horangi.com) before you start writing your report. This is to ensure the issue you are reporting is within the scope for the bug bounty program.
Submission graphic
Think through the possible exploitability and attack scenario(s) of the vulnerability you are reporting, and provide as many clear details as possible for our security team to reproduce the issue (please include screenshots if possible).
Submission graphic
Please include your understanding of the security impact of the issue. Our bounty rewards are directly tied to the security impact of the reported issue. Thus, the more intricate details you provide, the better we can assess the impact and reward your efforts accordingly. We cannot provide payout after the fact if we don’t have enough evidence and a mutual understanding of security impact.
Submission graphic
In some cases, it may not be feasible to have the entire context on the impact of a bug. If you’re unsure of the direct security impact, but feel that you may have found something impactful, please feel free to submit a detailed report and we will get back to you.


Upon the identification of any vulnerability or bug, contributors are advised to download and submit the discovered bug.

DOWNLOAD FORM
  • 24.7.365 Vulnerability scanning
  • 25 Years of expertise
  • 100k Issues detected
  • 7 Global offices
  • 90k+ Hours of uptime
Contact Horangi

Get in touch with us

Please fill out the form below and one of our representatives will be in touch with you shortly.