Contact

Committed to Security

IPONWEB is committed to providing the best security possible, and this means being open to independent & public contributions to our platform’s security via the discovery and submission of vulnerabilities. The purpose of this program is to outline the rules of engagement for an independent security researcher (an individual who is not employed by, or contracted by IPONWEB, directly or indirectly) , what we will accept as a vulnerability, and what a researcher can expect from us.

coding-1853305_1280

At IPONWEB, we define a security vulnerability as an unintended weakness in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or service. When reporting vulnerabilities, please consider the attack scenario / exploitability, and the security impact of the bug. 

The following issues are considered out of scope

  • Denial of service attacks
  • Password cracking attempts (except the use of default passwords), including but not limited to: 
    • brute forcing
    • rainbow attacks
    • word list substitution
    • pattern checking
  • Clickjacking on pages with no sensitive actions
  • Attacks requiring takeover of the email or social account authenticating the victim account.
  • Tab-nabbing on non-user provided links 
  • Unauthenticated/logout/login CSRF
  • Attacks requiring MITM or physical access to a user’s device
  • Previously known vulnerable libraries without a working Proof of Concept (PoC)
  • Comma Separated Values (CSV) injection without demonstrating exploitation via a PoC
  • Missing best practices in SSL, TLS and HTTP header configuration
  • Social engineering attacks (including phishing, vishing, smishing)
  • Software version disclosure
  • Issues requiring direct physical access to hardware
  • Flaws affecting out-of-date browsers and plugins
  • Email enumeration / account oracles
  • CSP weaknesses
  • Email spoofing
  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

We will investigate all eligible reports and do our best to fix valid issues quickly.

Disclosure Policy

We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. When disclosing a vulnerability to us, we request that it is submitted with a detailed description of the issue and the steps required to reproduce what you have observed. 

It is important to make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity. You agree that you will not disclose vulnerability information to any other third party, until granted permission to do so from IPONWEB. We endeavour to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.

Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users’ data – in other words, violate this policy.

Program Rules

  • The severity of a vulnerability within a report will be verified using the NVD CVSSv3.1 calculator and within the context of our application. The severity rating coming from that calculation will be considered final
  • Bounties are not guaranteed and are issued solely at the discretion of IPONWEB
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
  • You must disclose all possible ways to exploit an issue in your original report. IPONWEB will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing this process by not providing complete information in your initial report
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward. This usually requires a working PoC typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof and you may be asked to provide additional information
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate combined impact
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)

General Prohibitions

We ask that you make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Specifically prohibited are the following:

  • Social engineering (e.g. phishing, vishing, smishing).
  • Lateral movement from a compromised host. 
  • Any manipulation or further exploit past the initial PoC.
  • Defacing, degrading, or otherwise altering a live system.

Reports

Please submit your report to security@iponweb.net. Your report should include: 

  • A detailed description of the issue, 
  • The steps required to reproduce what you have observed. This should include screenshots or video
  • A description of how you found the issue

As noted above, within your report, please make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity. Please consider obfuscating or redacting content where it is reasonably possible. 

Code_thinking

 

 

Bounties

IPONWEB's default policy is to acknowledge all researchers who submit a valid security vulnerability report. Bounties will only be awarded after an IPONWEB team member has confirmed the issue during the Triage process. 

As noted previously, we’re taking a first-come, first-served approach to bounties. if the vulnerability disclosed is already known to us, and is already being acted on internally, we will not pay a bounty.

We generally won’t wait to award a bounty until after the item is fixed as we understand some issues may have long lead times in deploying fixes. Bounties are only awarded for actual security or privacy impacting reports, and not for functionality or other types of bugs.

code_inspection

Response Times

Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.

IPONWEB will use all reasonable efforts to meet the following timelines:

  • Time to acknowledge receipt of submission - 1 business day
  • From acknowledgement, time to triage & verify - 2 business days
  • From verification, time to classify and respond - 10 business days

We’ll try to keep you informed about our progress throughout the process.

 

 

hacker_mind

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.