To ensure that Horangi's platform, products and services are secure, we are establishing a Bug Bounty Program (BBP) that allows the wider cybersecurity community to submit any vulnerabilities that they may have identified on our online portals and or website.
For the scope of the BBP, we at Horangi welcome any discoveries regarding the following:
How Horangi finds out about new vulnerabilitiesHorangi has an internal team doing periodic testing, with bug fixes scheduled and prioritized by severity. We also curate vulnerabilities found or reported elsewhere on the web, as well as doing our own research to uncover previously unknown vulnerabilities.
Program TermsHorangi recognizes and rewards security researchers who help us keep people safe by reporting vulnerabilities in our services. Bounties, either in loot or monetary form, are awarded at Horangi's discretion. Based on risk, impact, and other factors. To potentially qualify for a bounty, you must first meet the following requirements:
- Adhere to Horangi's Responsible Disclosure Policy:
- Report a security bug; Identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Horangi reserves the right to determine the risk of an issue, and that many software bugs are not security issues).
- Certain types of potential security issues are excluded, these are listed under the section titled “What does not qualify?”
- Submit your report to firstname.lastname@example.org (one issue per report) and provide follow up reports regarding any updates. Please do not contact employees directly, or through other channels about a report.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose any and all instances in your report.
If you comply with the policies below when reporting a security issue to Horangi, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that: a) You give us reasonable time to investigate and mitigate the reported issue before making public any information about the report,or sharing such information with others. b) You do not interact with an individual account (which includes modifying or accessing data from the account), if the account owner has not explicitly provided consent towards such actions. c) Your actions, on good faith, does not (and will not) cause privacy violations and disruptions to others. Including (but not limited to) the destruction or manipulation of data, and the interruption or degradation of our services. d) You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues). You do not violate any other applicable laws or regulations.
- Do not attempt to gain access to another user's account or data.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Do not perform any attack that could harm the reliability/integrity of our services or data. For example, DDoS/spam attacks.
- Do not publicly disclose a bug before it has been fixed and without our consent.
- Do not impact other users with your testing.
- Do not use scanners or automated tools to find vulnerabilities.
WHAT DOES NOT QUALIFY?Items not defined in the Scope section of the document do not qualify. Certain types of potential security issues are excluded from the bounty program. These include:
- Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.
- Duplicate issues already known,scheduled for a fix, or have been determined by Horangi as acceptable risks.
- Bugs requiring exceedingly unlikely user interaction.
- Bugs that will lead to unconvincing phishing attacks.
Missing security enhancement or best practices such as:
- Insecure cookie settings for non-sensitive cookies.
- Browser headers that do not apply in the application context.
- CSV injection without actual risk.
- Clickjacking/Cross-Frame Scripting
- Open redirects
- Login/logout CSRF without business implication.
- Autocomplete attribute settings on web forms.
- Attacks requiring physical access to a user’s device.
- Mail configuration issues such as SPF, DKIM, DMARC settings.
- Reports of insecure SSL/TLS ciphers (unless a working proof of concept is provided)
- Disclosure of public information and information that does not present significant risk. (E.g. robots.txt, fingerprinting and banners)
- Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
- Bugs in content or services that are not owned/operated by Horangi.
- Scripting or other automation and brute forcing of intended functionality.
- Zero day attacks on third party portions of the application within 30 days of disclosure.
COMPENSATION & RECOGNITION
|TABLE 1. CATEGORIZATION OF BUGS & RELEVANT COMPENSATIONS|
|Level of Severity||Type of Vulnerability Identified||Compensation Offered|
(High - Critical)
Remote Code Execution
(Command Injection, Deserialization Bugs, Sandbox Escapes)
Unrestricted file system or Database access
(Unsandboxed XXE, SQL Injection)
Logical Flaw Bugs leaking or bypassing significant security controls
(Direct object reference, remote user impersonation)
Execute code on client side
(WebL Cross-Site Scripting)
Other Valid Vulnerabilities
(Recognition of Efforts)
|High issues already reported before, or pending fixes||