Responsible Disclosure
Updated June, 2016
Security of user data and communication is of utmost importance to us. With the best possible security of our service in mind, we welcome responsible disclosure of any vulnerability you find in our products, services, apps or websites. The principles of responsible disclosure include but are not limited to:
- Accessing, exposing or attempting to exploit only data that is your own.
- Avoid scanning or similar techniques that are likely to cause degradation of service to our systems or other customers (e.g. by overloading or overwhelming our services)
- Keeping details of vulnerabilities secret and confidential until we have been notified and have had a reasonable amount of time to correct or fix the vulnerability. You must not disclose the vulnerability to any third party or post details anywhere else until resolved.
- Keeping within the limits and guidelines contained in our Terms of Service.
- You must agree to follow the guidelines below and standard industry disclosure guidelines:
- Respect the rules. Operate within the rules set forth by the Security Team, or speak up if in strong disagreement with the rules.
- Respect privacy. Make a good faith effort not to access or destroy another user’s data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
- We agree to follow the guidelines below and :
- Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
- Respect Finders and Researchers. Give finders and researchers public recognition for their contributions.
- Reward research. Financially incentivize security research when appropriate.
- Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement if properly and responsibly disclosed.
We use the following guidelines to determine the validity of submissions and the corresponding reward compensation offered:
- Reproducibility
- Our engineers or third party code authors must be able to reproduce the security flaw from your report. Vague or unclear reports are not eligible for reward. Reports or submissions that include detailed explanations and working code are most likely to earn rewards.
- Severity
- We are most interested in vulnerabilities in security that can be exploited to gain access to user data or services. We will only qualify and reward you if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General “bugs” are never qualified as vulnerabilities, and anything that is not a exploit is considered a general “bug”. The exploit must rely only on vulnerabilities of our systems
- Examples of Qualifying Vulnerabilities
- User / Authentication Flaws
- Cross-site scripting (XSS)
- Circumvention of privacy / permission models / priviledge escalation
- Server-side code execution / Remote code execution
- SQL Injection
- Cross-site request forgery (CSRF/XSRF)
- Source code vulnerabilities
- Examples of Non-Qualifying Vulnerabilities
- Failures to adhere to “best practices” (e.g. common HTTP headers, password policy or link expiration)
- DOS – Denial of Service Vulnerabilities and social engineering attacks do not qualify and must not be attempted against our sites or users under any circumstances
- Bugs related to unpatched, out of date or rarely used browsers or other software out of our control
- Insecure cookies on our domains
- Mixed-content scripts or mixed content warnings on our domains
- Possibilities to send malicious links to people you may know
- Possibilities of injecting sanitized / stripped html into comments / fields
- Security flaws or bugs in third-party websites or third-party plugins that integrate with our sites, apps or services
- Vulnerabilities that require a potential victim to install software that is non-standard or otherwise take steps to make themselves vulnerable
- Social engineering or spam techniques
- Front-end “XSS” from custom post types on our WordPress sites / entities. WordPress intentionally allows certain users to enter unfiltered HTML into posts (including custom post types) and comments. It will be escaped within the Administration Panels as a precaution, but displayed raw on the front-end. Other lower level users are not trusted and will not reproduce the same behavior. For more information, please read WordPress’ security FAQ
Rewards – NOTE Currently Limited In Scope Due to Budget
- Only 1 (one) reward or bounty (if budget is available) will be awarded per vulnerability.
- In order to be eligible for a reward or bounty, your submission or responsible disclosure must be accepted as valid by us.
- If we receive multiple reports for the same vulnerability, even if found on separate areas, only the person providing the first clear report will receive a reward and/or bounty.
- We maintain total flexibility with our reward and or bounty system. We have no set minimum/maximum amount; rewards are based on impact, severity, and report quality.
- Our typical minimum bounty is an acknowledgement / kudos and some qualify for up to $50 USD reward.
- Our typical maximum bounty is an acknowledgement / kudos and up to $250 USD reward – or less.
- Sometimes third party developers will contribute additionally to the bounty / reward on a case by case basis and depending on the severity. This may increase the bounty and funding timeline if they contribute but there are no guarantees.
- This is a discretionary program and we reserve the right to cancel or suspend the program at any time; the decision whether or not to pay any bounty or reward is at our discretion.
- To receive a reward or bounty, you must reside in a country not on sanctions lists (e.g., Iran, North Korea, Sudan & Syria).
- Rewards if funded are paid through Paypal, Dwolla or other method at our discretion and as permitted by law.
- Our Bug Bounty Fund has very limited funding per week so please be advised your bounty payout may be delayed at times due to number of bugs reported, severity of bugs and Bug Bounty Fund available (sometimes months of delay). We will work to address and reward higher priority bugs first and will pay out bounties per priority, date reported and as funds become available.
- You Must Practice Patience as our support team works through the issues by priority and funding available!
Hall of Fame – Kudos & Rewards
Our thanks to the following security researchers for their submissions:
Ch Chakradhar (Multiple issues reported with third party software: open redirect, opauth library, CSRF, XSS)
Zeeshan (Multiple issues reported with third party user logins and third party email auth related issues, CSRF Protection, XSS, rate limit mitigation)
Contacting Us / Report a Bug
Please use the bug reporting form below email us at security [at] aquatechnologygroup.com with any reports of vulnerability or questions about the bug bounty program. If you email, please report each new bug in a separate form or email thread so we can ensure you are rewarded properly.