Disclosure Policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization;
- Follow industry standard disclosure guidelines;
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue;
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with the explicit permission of the account holder;
- Do not access, modify or delete user data without permission of the account owner;
- Do not exploit financial vulnerabilities beyond what is required to prove its existence;
- Act in good faith not to degrade the performance of our services (including denial of service);
Rules
The following issues are outside the scope of our Program:
- Denial of service
- Spamming
- Social engineering (including phishing) to our staff or contractors
- Any physical attempts against our property or data centers
In Scope
www.senangurus.com
Non-Qualifying Vulnerabilities
The following types of issues are outside the scope of our Program (including but not limited to):
- Clickjacking on static websites or pages with no sensitive actions;
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability);
- Login/logout CSRF;
- Attacks requiring MITM or physical access to a user’s device;
- Previously known vulnerable libraries without a working Proof of Concept;
- Comma Separated Values (CSV) injection without demonstrating a vulnerability;
- Missing best practices in SSL/TLS configuration;
- Missing security headers which do not lead directly to a vulnerability;
- Any activity that could lead to the disruption of our service (DoS);
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;
- Rate limiting or bruteforce issues on non-authentication endpoints;
- Missing best practices in Content Security Policy;
- Missing HttpOnly or Secure flags on cookies;
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms;
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors);
- Tabnabbing;
- Open redirect – unless an additional security impact can be demonstrated;
- Issues that require unlikely user interaction;
- Issues related to software outside SenangUrus Domains control;
- Use of a known-vulnerable library (without evidence of exploitability);
- Reports from automated tools or scans (without validation of vulnerability);
- Social engineering (like phishing) of SenangUrus Domains staff or contractors;
- Any physical attempts against SenangUrus Domains property or data centers;
- Single-user vulnerabilities that require jailbroken or otherwise non-standard hardware;
- Password Complexity Requirements;
- Mixed Content Scripts;
- Banner disclosure on common/public services;
- Disclosure of known public files or directories, (e.g. robots.txt);
- Spamming;
- Self Cross Site Scripting (Self-XSS);
