Vulnerability Disclosure Program
Emmanuel Iturbide avatar
Écrit par Emmanuel Iturbide
Mis à jour il y a plus d’une semaine

iPaidThat values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.

Since November 2021, iPaidThat is running a private bug bounty program on https://www.intigriti.com/

If you don't receive an answer for your report it's either:

  • it's considered as informational

  • it's considered as duplicate

Out of scope domains

  • https://ipaidthat.io/mag which is a WordPress instance running on a dedicated server, which does not contain any sensitive data, is out of scope!

  • Any domain that is not listed in the Domains section, is out of scope for this program

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:

PLEASE DO NOT RUN ANY AUTOMATIC SCAN AGAINST OUR INFRASTRUCTURE. IF YOU'RE USING TOOLS LIKE REPEATER ON BURP SUITE, PLEASE CONFIGURE YOUR THROTTLE TO SIMULATE A USER USAGE.

  • Create an account with the following phone number: +336 13371337

  • Use a valid address mail so we can get in touch with you in case you make to much "noise"

  • Do not create more than 5 accounts.

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

  • Do not modify or access data that does not belong to you.

  • Give iPaidThat a reasonable time to correct the issue before making any information public, and ask for our approval before making any disclosure.

Endpoint

We are primarily interested in hearing about the following vulnerability categories:

  • Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.

  • Authentication or Session Management related issues

  • Remote Code Execution

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

  • Self-XSS that cannot be used to exploit other users

  • Verbose messages/files/directory listings without disclosing any sensitive information

  • CORS misconfiguration on non-sensitive endpoints

  • Missing cookie flags

  • Missing security headers

  • Cross-site Request Forgery with no or low impact

  • Presence of autocomplete attribute on web forms

  • Reverse tabnabbing

  • Bypassing rate-limits or the non-existence of rate-limits.

  • Best practices violations (password complexity, expiration, re-use, etc.)

  • Clickjacking on pages with no sensitive actions

  • CSV Injection

  • Host Header Injection

  • Sessions not being invalidated (logout, enabling 2FA, ..)

  • Hyperlink injection/takeovers

  • Mixed content type issues

  • Cross-domain referer leakage

  • Anything related to email spoofing, SPF, DMARC or DKIM

  • Content injection

  • Username / email enumeration

  • E-mail bombing

  • E-mail validation

  • HTTP Request smuggling without any proven impact

  • Homograph attacks

  • XMLRPC enabled

  • Banner grabbing / Version disclosure

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability

  • Weak SSL configurations and SSL/TLS scan reports

  • Not stripping metadata of images

  • Disclosing API keys without proven impact

  • Same-site scripting

  • Subdomain takeover without taken over the subdomain

  • Arbitrary file upload without proof of the existence of the uploaded file

  • Privilege escalation between member of the same organisation

  • Missing CSRF token on some endpoint

  • HyperLink injection on Email

  • OpenRedirect without proven impact

  • Any other iPaidThat subdomains

  • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others

  • Issues only present in old browsers/old plugins/end-of-life software browsers

  • Phishing or social engineering of iPaidThat employees, users or clients

  • User enumeration

  • TLS cookie without secure flag set

  • Privilege escalation between member of the same organisation

  • Missing CSRF token on some endpoint (we are aware of some issue and are working on it).

  • Systems or issues that relate to Third-Party technology used by iPaidThat

  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)

  • Any attack or vulnerability that hinges on a user’s computer first being compromised

  • Miss of rate limits

  • Report from automated tools or scans

  • DNSSEC

  • Relating to HSTS

  • Missing security headers which do not lead directly to a vulnerability

  • Physical attack on the infrastructure

  • Browser that support "Content Security Pocily" tag

  • Theoretical attacks

  • Breaking of SSL/TLS trust

  • Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Outdated DNS record pointing to system which does not belong to iPaidThat

  • Access to content via means of CDN / Content Delivery Networks / Network caches

  • Clickjaking

  • Email verification

  • Password policy

  • HyperLink injection on Email

  • OpenRedirect without real impact

Vulnerability Rewards

Level

Examples

Reward

Critical

Remote code execution

SQL Injection

Data leak

Server Access

500$+

High

Privilege Escalation to Super Admin accounts

Access to unauthorized private data

200$+

Medium

XSS

Security missconfiguration

100$+

Low

Vulnerability may result in limited risk or require the presence of multiple additional vulnerabilities to become exploitable. Examples include overly verbose error messages, and detailed banner information disclosure.

25$-75$

Informative

Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is a deviation from best practices, or is a security-relevant observation that may lead to exploitable vulnerabilities in the future. Examples include vulnerable yet unused source code and missing HTTP security headers. DMARC / DKIM / SPF missconfiguration

0

Vulnerability rating is based on CVSS and at the appreciation of iPaidThat team.

On top of this reward, we will also list you here in the Special Thanks session (if you accept)

Reporting a Security Vulnerability

Submit your finding to security@ipaidthat.io.

Please include:

  • A summary of the problem

  • A proof-of-concept or a stepwise breakdown


Special Thanks

Avez-vous trouvé la réponse à votre question ?