Vulnerability Disclosure
Policy
Business Agreement
Introduction
PureDome cares about your online security, privacy, and the data entrusted to us. We are committed to safeguard and protect your data and to ensure that PureDome takes one step ahead to introduce this Vulnerability Disclosure Policy. PureDome commits to protect the data and assets from any cyber risk and leads to a heightened level of protection throughout the organization.
PureDome is a data controller in respect of your personal data for the purposes of the Virgin Islands Data Protection Act, 2021 (the Act). PureDome is responsible for ensuring that it uses your personal data in compliance with the Act
The information collected by PureDome is limited to that which is necessary for the provision of the Services, including your name, email address and payment information. Our system is designed so that no sensitive data is collected about you.
Guidelines
PureDome is intended to give security researchers explicit and transparent communication guidelines about the procedure for the desired results:
Do's:
- The researcher community needs to notify at the provided email hereunder as soon as a new vulnerability is detected.
- The researcher must ensure that the safety of the assets or any data is not affected in any way as a result of testing.
- Use proof of concept to demonstrate the presence of a vulnerability.
Don’ts:
- Once a vulnerability is identified, the researcher must not use exploits unnecessarily further.
- The researcher must not disclose the vulnerability publicly.
- The use of automated scanners while conducting security testing is strictly forbidden.
- Do not adopt or carry out any destructive actions whilst texting.
- No data should be filtered whilst testing.
Scope
The Scope of PureDome VDPs includes the following:
- Cross Instance Data Leakage/Access
- Server-side Remote Code Execution (RCE)
- Client-Side Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Stored/Reflected Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- SQL Injection (SQLi)
- XML External Entity Attacks (XXE)
- Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.)
- Path/Directory Traversal Issues
- Buffer/Heap Overflows
- Privilege Escalation
- Remote Code Execution
- Denial of Service
Make sure to review the out-of-scope list for further details.
Out Of Scope
Anything that is not included in the list of scope should be considered out of scope for the purposes of this VPD. However, below are some examples of what is considered out of scope.
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues are only exploitable through clickjacking.
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Weak Captcha / Captcha Bypass.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- No Load testing (DoS/DDoS etc) is allowed on the instances/assets.
- This includes application DoS as well as network DoS.
- Username / email enumeration.
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
- Strict-Transport-Security.
- X-Frame-Options.
- X-XSS-Protection.
- X-Content-Type-Options.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
- Content-Security-Policy-Report-Only.
- Cache-Control and Pragma
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Forward secrecy not enabled.
- SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
- SSL Forward secrecy not enabled.
- SSL weak/insecure cipher suites
Point Of Contact
Reports need to be submitted in plain text (associated pictures/videos are accepted as long as they’re in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text. Make use of inquiry@puredpme.com as a point of contact.
Process Steps
- Once the vulnerabilities have been reported, PureDome commits to take a series of steps to ensure authenticity.
- All of the reported vulnerabilities will be required validation that will be taken care of within the first and second week of submission by the PureDome team.
- The researcher community will be held for information sharing regarding the validated vulnerabilities.
- Reported vulnerabilities will not be disclosed until the decision has been made and agreed upon between PureDome and the researcher.
- PureDome team will review the bug if it qualifies for a bounty. In case it fails to qualify, researcher will be updated and bug submission loop will be closed. If it qualifies, PureDome team will update the researcher for the approved bounty.
- Bounty reward will be decided solely by PureDome.
- Fixed Vulnerabilities will be required to get validated by the researcher before closure of bug reporting loop.
- Impacted users will be updated with the found vulnerability through a private newsletter.
Reward Money Remittance
- Payment will not be processed to any sanctioned country.
- Payments will be allowed via paypal, stirpe, main stream banks etc.
- An amount of upto $1500 will be rewarded depending on the severity of the reported vulnerability.
- Basic information like the researcher’s first and last name, photo identity of account holder and account details will be required to process payment.
Closing Note
The efforts and sincerity of all the security researchers are appreciated for sharing information on security issues with PureDome. The VDP program gives us an opportunity to help us move towards improved products and services for our customers. Much thanks to you for working with us through the process.