Vulnerability Disclosure Terms
This page is created using templates from disclose.io.
Introduction
Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
Expectations
When working with us according to this policy, you can expect us to:
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
Scope
All of Volkis’s assets are in scope unless otherwise stated in the Out-of-Scope section below. This includes:
- *.volkis.com.au
- *.volk.is
- Third party applications/services/platforms used by Volkis - Make sure that you get consent from the third party before attempting to hack them!
We will only acknowledge submissions that have real-world impact. To better prove this impact, a working Proof of Concept is highly recommended and may result in a better outcome. We will not accept theoretical vulnerabilities such as TLS vulns and missing security headers, unless you can show impact.
Out-of-Scope
The following lists the scope and attacks that are excluded from this policy, meaning that we do not give consent to test against these assets/methods:
- *.volkis.io;
- Social engineering of any kind;
- Physical attacks against Volkis, its employees or any property belonging to Volkis of its employees;
- (Distributed) Denial of Service of any kind;
- Actions that violate Australian law.
Although submissions with no impact will be reviewed, they are unlikely to be accepted as part of this program. Some example of submissions that won’t be accepted are:
- Missing HTTP headers;
- Out-of-date software/libraries unless you can prove their impact;
- Theoretical SSL/TLS findings;
- “Best practice” configurations that do not have impact;
- “Self” exploits (such as Self-XSS) and exploits that required significant actions from users;
Rewards
We reward based on the impact of the finding, the quality of the report and how much effort went into the PoC. Keep in mind, that we are a small company but we are hoping to increase our rewards as we grow.
Rewards are based on the severity of the vulnerabilities as outlined in Bugcrowd’s Vulnerability Rating Taxonomy:
| Severity | Reward |
|---|---|
| P1 | $300 - $500 (+ Swag + cookies*) |
| P2 | $50 - $100 (+ Swag) |
| P3 | Swag |
| P4 | Contributors mention |
| P5 | No reward |
(*: Our Managing Director will bake you real cookies. Your choice of Choc Chip or ANZAC. No, really. This isn’t a joke.)
All accepted submissions of P4 and above will receive a mention in our Contributors list below.
The final decision for the reward amount is at our discretion.
Duplicate Submissions
We’ve participated in bug bounties so we know how frustrating dupes are! Although we can’t reward dupes, we vow to reduce their potential by fixing accepted submissions within 60 days.
Official Communication Channels
All submissions should be send to [email protected].
If you feel you need to encrypt the submission, put the report in a separate file, encrypt that file using the PGP key below and attach it to the email.
PGP Public Key
Fingerprint: B09D A8B3 6BC8 034B
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBF3oKNcBEAC/0W9lMLvLvzYU/9vGKGP17YzLTfbIMvtrhuQp4JfjTeeHZdjw
Peg8ZrKerJn608MtWw1+rFzt9A09EANLT7ffbBhlcPfRh3k/zMY8i8y4nOrAAs9n
8engzI8gmKFfLy14JKwivnXOS9j5M29/43izJo1I2x70HejKh0xgZGjahBOr+rl0
llx2KqIvn6IDbOz26YGXcS3+ZiTSIvmtxlnLjN9+4d/A7EEc+CHasCeE9FNT6gT5
8bgPisXYiNee9KSCf1XkloxCXUxwypBnFSNgBIoG4dmnSpsHoIQ00wHFkWvwCcnW
9CTe9JE/fUz5aibQ6/lDCyfXOYyqc8VUnIZRkRNBaP+JNjmkeZxMU4m8NUnitSFO
KJKaGPtt66mB4zF5uDPfU5S3HQ/ZKFwhEiLM85bF3udwria+rrmveDvH7uLEZGgK
x5JsfiXLtoWSuC8eQdbVTuRZDn5BkbzBoP0uDgoYHhRp6Jc4zSU5fElDy4PGfi1/
ZxZaIODk3nVT8BvWkvD9dJSd11kSdnXiaJL6QSOvEyxELxq7WY+fyzTGfdoRni2E
9FN5Y3H701DqfjVjgDSS4iUpalZ3lmylNotq5D7deQji4hRJfNkAaPq8cvqm7qM2
JqK4653PCASa9vFsCBD8LzETpSkHR/IgFcz30CAhz7pW1lXn673FToFq3wARAQAB
zSBWb2xraXMgSW5mbyA8aW5mb0B2b2xraXMuY29tLmF1PsLBlAQTAQgAPhYhBIAx
Kbj5XLI7E2UjRbCdqLNryANLBQJd6CjXAhsDBQkJaNI5BQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJELCdqLNryANLHUcQAJV883raejF6fuhfMLejPuReHJ7OGi+i
aH4oz0EE3G02VN4GWo8FktOGiitFcXCnm7tNO6QtV6nVyZVP/9b/Y1vCC46cNk9n
5pAZBL+PO/DQB9+Q4ldetcIn+koojVE0umEJbFvmE4GTosdV7HdGN0nkQbCRy3KX
o4dDereWvXRrGxfmgWitqOEd4fDzhIm2RuYJ1V4MJwC9+CEJaYakzRIIRPb4ZpoP
D9U5hpcjjNm/d5jocGt7O4TYVTN6kMr2FVU+gXb/Dy9taNUB274Hy6NyauIXpwat
bjlU6a3bJwu3WDbYcr96HHcUd7GPd4zRJRLL7sapYKpd2Xaq1V9V39L/bmxKw2r6
7zTuxv8LbT27nhAsgvwBXamC6XkxlSvI+1BoYlWehDWDWljwZn641tUziWGFUIsl
zyWKPoivo4vtAOccKltFF5tpM/DLy6/pC4gYnKD0y7dCNBofJf0O7j8HQZBuLIJA
u+M9dTiTxxpj8cbCb5ALLXys5LWt2guytTfFyL7VB4BwiOdurgxDtubK0YzCwgr2
kOF14o6RBsctBP/IMS02CCvNn8ezMrf5NK+rb89c1ICaMwpR48a7deePhZcL7ydM
2eEg5HfIgqFuOxoNxpwcZIxQ4W+XzQqxP89vG9aAJCWQxgp+1Yt+E48R4+3UKCEa
JTKekxvckqerzsFNBF3oKNcBEADjroadVDiEmD6TWeYp2eEin0/9RsqT97YXS6Ly
6gmvK7clE8R7eDvAjG8RQMPYcYlYftEoTtsNYa6gqVsBlnBDhPtAf68BcmprlZtG
gMXeNFZTNJ0yhsSpBw72OjqH2E44VaoXo844aUJiKbXalP1CSuefJBz9Dtbh+eBP
5ZXBpp1iKiYg6TWYVq9pMrvwlv9LamsCclfF2P7i6n6Eq/uIJR/Rpitcps3QUCWb
TtUUOPdTFEcXOOTqmFiTeDdUOq02ILs0MAeVwboiifaOqxioegS4TQm3TVTqETDF
wuTFa3jToqmxnaYQCuelzJcTlh3TatWINXsxTzIzYYUlwlL2JB1Z310WN1k9Y+u0
3neOx6mbP9tK9aw1ks+AelPLxZxTizOpCd1ytnRyXBSn0RSXa3waguATH5zTiOI/
1oLXGUIUeznfpiY1jPoGWjab44mDlwog+9B/c/yazNXGkieZ94v8GslRcNFsCx1B
Fj8RD5SPPy1ltJ8JAmu8A9LbmasrvFOqOPPqDYzLxWh4CC4dBp1D19gy8itcmAoB
yCyO6Ku8KW6p8QalIX+pIJVC8KRcwNuX2a11Qt6WU+6clJ8rRXvj1Kp+7oBMYALW
Lgd0bLN4SLCCbsBzVKYkoif6lo9sIGP+r1nFW2k1i2PJj8qYO634xhtd6KRF64ad
b9ZOCQARAQABwsF8BBgBCAAmFiEEgDEpuPlcsjsTZSNFsJ2os2vIA0sFAl3oKNcC
GwwFCQlo0jkACgkQsJ2os2vIA0uJ2w/9GhZDeusBrPQiZgazbE2E4mfniVAl9qnv
gr9lwvOV7DrPvvIXpLsdJaLJkX2wIArvOSmgkeDwhBku/9jMQiruZu0WbJ2mxCfs
c2ZTNtDowhNteN4hY572nQCSHMAKCT1k0suXMEt95Sir0PPliG5FBhCUL+Z48PMj
Xu9WBXv2DX8b5y4H3YNBBIoUG4dtzGYFmF3Wd1vMYmAeufWq5srmXB6pf+gJwkzD
9HmBgjwc5mJiR4mmMZ5m0asajR4FTm57cEnmOEhdy4XW9T/eIsYl6oUSsVO1jRvL
oy5WQelOq8DrDMBYO4VUPCr36g543Lg7n0+omYf5ciW+scdMtTVPkRPaZOqiWyj1
1kiLH4YstKWBmxNavY/WliEoZ5Gl8gvzdVzoLR/LTju0t/n43VMxGof5uDnWNk5J
GZTQs7r+dNmlOLLvFGdOzLIN9pgbX1gCDd1bGxfFZrTclDUIpWbNKD3FjA87CAOW
knY+v47pvrDE5+L8Jukv94pBjvUOMc6GGY8SyPRCfLtewOq0+dXAhgTnqCowRCSa
YwBeXE9VvxVBjOI4tJUwKDVloXfmkfCYVrx2i/HiHmdOoYhhiby/2Hci9sXYLzCP
0J4ADmHwv34yEIKr94euhjzNjDJaipOQnx319qGNbwYqi+Srrp/FG7esOt5kqGMi
kN1xgaY88VY=
=GvSg
-----END PGP PUBLIC KEY BLOCK-----
Disclosure Policy
Discretionary Disclosure: The researcher or Volkis can request mutual permission to share details of the vulnerability after approval is explicitly received.
We value the work of researchers and the benefit of public disclosure. To that end, we encourage researchers to request permission from us prior to disclosing their findings. If permissions is granted, the researchers should ensure any sensitive and confidential information is removed or redacted prior to publishing.
Ground Rules
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy any other relevant agreements;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Contributors
We’d like to thank the following people for their awesome contribution to Volkis’s security, the security of our customers and the security of the Internet. You all rock!
| Hacker | Criticality | Date |
|---|---|---|
| Ajay Sharma | P4 | 2021-12-03 |