Bug Bounty Program
Program Eligibility
To be eligible for the program, you must not be a resident of, and will not make your submission from a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)
- You will comply with all applicable laws and regulations
- You will let us know as soon as possible following the discovery of a vulnerability
- You will follow the disclosure guidelines defined below
What's not permitted
- You may not submit reports from automated scanners and tools
- You will not maliciously exploit any vulnerabilities
- You will not in any way access any private or confidential information pertaining to Hivelocity, our users, and/or any third parties
- You will not conduct Denial of Service testing nor any other actions that disrupt services
- You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.
- You will not conduct social engineering of any Hivelocity employees and/or contractors
- You will not conduct physical attempts against Hivelocity property
Low severity bug (up to $100):
- Reflected XSS
- DOM XSS
- Server misconfiguration or provisioning errors
- Information leaks or disclosure (excluding customer data)
- Open Redirect
Medium severity bug (up to $250):
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- Stored XSS
- Session Highjacking
- Broken Authentication or Authentication Bypass
- Directory Traversal
- Insecure Direct Object Reference
High severity bug ($500-$750):
- LFI/RFI
- Server-Side Request Forgery
- Privilege Escalation
Critical severity bug ($1,500+):
- SQL injection
- Remote Code Execution
- XXE
Non-Qualifying Bugs:
- DoS/DDoS (Denial of Service) attacks
- Brute-force attacks
- Password-stuffing attacks
- Social engineering related attacks (phishing, vishing, smishing)
- Clickjacking/UI-redressing
- Tab-Nabbing or other rel="noopener" bugs
- Vulnerabilities reliant on out-of-date-browsers/software
- Vulnerabilities found by automated tools (thanks but we're already doing that)
- Mixed content warnings
- Missing or misconfigured security-related HTTP headers that don't directly lead to a vulnerability
- Missing cookie flags that do not directly lead to a vulnerability
- Web Cache Poisoning
- Content Spoofing
- Request Smuggling
- CORS Misconfiguration
- SPF, DKIM, DNS, and DMARC records and flags
- Assets not owned/managed by Hivelocity (including customer IPs)
- Zendesk Chatbox
- Server banners
- Issues pertaining to abandoned customer carts
- Rate-limit issues
- Sessions not automatically being expunged on password reset
- Sessions can be expunged when toggling the "Clear active sessions"
- Complex/intricate bugs that would require unrealistic circumstances to be exploited
- Out-of-date packages being used in system resources
- Issues pertaining to 2FA (as we currently work to implement a fix that will resolve all existing issues) - anything not currently triaged/accepted will be denied until a patch is implemented and can be tested.
Scope:
www.hivelocity.net
core.hivelocity.net
my.hivelocity.net
store.hivelocity.net
locker.hivelocity.net
Out-of-Scope:
centos.hivelocity.net
almalinux-mirror.tpa.hivelocity.net
almalinux-mirror.dal1.hivelocity.net
Reporting
If you find a vulnerability please send an email to: [email protected]
Subject: Vulnerability Found:
Bug Bounty Report Requirements:
Vulnerability Name:
Summary:
Impact:
PoC (Proof-of-Concept)
Step 1:
Step 2:
Step 3:
Step ...
Suggested Remediation:
Additional Proof (Screenshots / unlisted youtube video):
####################################################################################
In order for us to appropriately assess the vulnerability that you're submitting, we
require that you provide some additional information so that we do not mistake your
actions as being malicious. Please provide any information that you have:
IP Address:
User-Agent:
Email Address:
Client ID:
Updated about 2 months ago