Vulnerability Disclosure Terms
This page is created using templates from disclose.io.
Introduction
Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
Expectations
When working with us according to this policy, you can expect us to:
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
Scope
All of Volkis’s assets are in scope unless otherwise stated in the Out-of-Scope section below. This includes:
- *.volkis.com.au
- *.volk.is
- Third party applications/services/platforms used by Volkis - Make sure that you get consent from the third party before attempting to hack them!
We will only acknowledge submissions that have real-world impact. To better prove this impact, a working Proof of Concept is highly recommended and may result in a better outcome. We will not accept theoretical vulnerabilities such as TLS vulns and missing security headers, unless you can show impact.
Out-of-Scope
The following lists the scope and attacks that are excluded from this policy, meaning that we do not give consent to test against these assets/methods:
- *.volkis.io;
- Social engineering of any kind;
- Physical attacks against Volkis, its employees, or any property belonging to Volkis or its employees;
- (Distributed) Denial of Service of any kind;
- Actions that violate Australian law.
Although submissions with no impact will be reviewed, they are unlikely to be accepted as part of this program. Some example of submissions that won’t be accepted are:
- Missing HTTP headers;
- Out-of-date software/libraries unless you can prove their impact;
- Theoretical SSL/TLS findings;
- “Best practice” configurations that do not have impact;
- “Self” exploits (such as Self-XSS) and exploits that required significant actions from users;
Rewards
We reward based on the impact of the finding, the quality of the report and how much effort went into the PoC. Keep in mind, that we are a small company but we are hoping to increase our rewards as we grow.
Rewards are based on the severity of the vulnerabilities as outlined in Bugcrowd’s Vulnerability Rating Taxonomy:
Severity | Reward |
---|---|
P1 | $512 - $1337 (+ Swag + cookies*) |
P2 | $256 - $512 (+ Swag) |
P3 | Swag |
P4 | Contributors mention |
P5 | No reward |
(*: Our Managing Director will bake you real cookies. Your choice of Choc Chip or ANZAC. No, really. This isn’t a joke.)
All accepted submissions of P4 and above will receive a mention in our Contributors list below.
The final decision for the reward amount is at our discretion.
Duplicate Submissions
We’ve participated in bug bounties so we know how frustrating dupes are! Although we can’t reward dupes, we vow to reduce their potential by fixing accepted submissions within 60 days.
Official Communication Channels
All submissions should be send to [email protected].
If you feel you need to encrypt the submission, put the report in a separate file, encrypt that file using the PGP key below and attach it to the email.
PGP Public Key
Fingerprint: B09D A8B3 6BC8 034B
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF3oKNcBEAC/0W9lMLvLvzYU/9vGKGP17YzLTfbIMvtrhuQp4JfjTeeHZdjw
Peg8ZrKerJn608MtWw1+rFzt9A09EANLT7ffbBhlcPfRh3k/zMY8i8y4nOrAAs9n
8engzI8gmKFfLy14JKwivnXOS9j5M29/43izJo1I2x70HejKh0xgZGjahBOr+rl0
llx2KqIvn6IDbOz26YGXcS3+ZiTSIvmtxlnLjN9+4d/A7EEc+CHasCeE9FNT6gT5
8bgPisXYiNee9KSCf1XkloxCXUxwypBnFSNgBIoG4dmnSpsHoIQ00wHFkWvwCcnW
9CTe9JE/fUz5aibQ6/lDCyfXOYyqc8VUnIZRkRNBaP+JNjmkeZxMU4m8NUnitSFO
KJKaGPtt66mB4zF5uDPfU5S3HQ/ZKFwhEiLM85bF3udwria+rrmveDvH7uLEZGgK
x5JsfiXLtoWSuC8eQdbVTuRZDn5BkbzBoP0uDgoYHhRp6Jc4zSU5fElDy4PGfi1/
ZxZaIODk3nVT8BvWkvD9dJSd11kSdnXiaJL6QSOvEyxELxq7WY+fyzTGfdoRni2E
9FN5Y3H701DqfjVjgDSS4iUpalZ3lmylNotq5D7deQji4hRJfNkAaPq8cvqm7qM2
JqK4653PCASa9vFsCBD8LzETpSkHR/IgFcz30CAhz7pW1lXn673FToFq3wARAQAB
tCBWb2xraXMgSW5mbyA8aW5mb0B2b2xraXMuY29tLmF1PokCVAQTAQgAPgIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBIAxKbj5XLI7E2UjRbCdqLNryANLBQJn
4U35BQkTYIE8AAoJELCdqLNryANL2fQQAJviziTcjFQ17htsSz7nvoxgizX83y9m
RW+HY/mD2Eg7ZZDhD8F+lKY6JtXfWMGjxiYsV/bfZp98NnGgYwspAOU4vmRWr2vu
0TuYSFrEK6P/dnA35M98vhRIyKi+ziqSN/m72h8kEshGzaYj+IPwDUgdPd7R3FnI
Xg5C7dMqTmkoMtAztMyFlmhPioICZfGkqX//ckJ2D+PNY9BzwK2FLUG1CInhQfGB
QIwHfwo/6cADEUjISsYApqDWaT9bz9Tgr9cfROj7EQjv6Aq7zflBpR09pWkg4Cb/
NO82UDFlY5hyhXZqcjwL/qkdxyi2DHYzliiBvD9Cto6Wz7SGlZ+XreSG2/O2i41J
dH4ScE3+wlHHvvOOsJQOEeSwzON2/sAg/4LpIVgdhwsvezsvnVgqYWWztTDmq2jf
o7JmibBI+QyB7oYCU8AQ0I+etS8Wsk0jcOK7oUGBzp4PuWuPQR0mha0G+4QyTCuA
QAW/p6z7cVyrFo76rXTLI/kUQynOGtOsF4erd+on+fpZRFw1zBBWkvnZfMKB/9P4
MU4Jo14RyJZJzcytlC3+0DfUxdNDBsiD3a5lNVjcLSdqBEkE2r5GBUiB29LMXpvA
SpgJuN4zRUOp9VffFSU9YOMgHEYbJgFwv/UETDLtC/aEtmYV84fGYPrT6wGGfSmo
vMgdekJNDFxqiQJUBBMBCAA+FiEEgDEpuPlcsjsTZSNFsJ2os2vIA0sFAl3oKNcC
GwMFCQlo0jkFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsJ2os2vIA0sdRxAA
lXzzetp6MXp+6F8wt6M+5F4cns4aL6JofijPQQTcbTZU3gZajwWS04aKK0VxcKeb
u007pC1XqdXJlU//1v9jW8ILjpw2T2fmkBkEv4878NAH35DiV161wif6SiiNUTS6
YQlsW+YTgZOix1Xsd0Y3SeRBsJHLcpejh0N6t5a9dGsbF+aBaK2o4R3h8POEibZG
5gnVXgwnAL34IQlphqTNEghE9vhmmg8P1TmGlyOM2b93mOhwa3s7hNhVM3qQyvYV
VT6Bdv8PL21o1QHbvgfLo3Jq4henBq1uOVTprdsnC7dYNthyv3ocdxR3sY93jNEl
Esvuxqlgql3ZdqrVX1Xf0v9ubErDavrvNO7G/wttPbueECyC/AFdqYLpeTGVK8j7
UGhiVZ6ENYNaWPBmfrjW1TOJYYVQiyXPJYo+iK+ji+0A5xwqW0UXm2kz8MvLr+kL
iBicoPTLt0I0Gh8l/Q7uPwdBkG4sgkC74z11OJPHGmPxxsJvkAstfKzkta3aC7K1
N8XIvtUHgHCI526uDEO25srRjMLCCvaQ4XXijpEGxy0E/8gxLTYIK82fx7Myt/k0
r6tvz1zUgJozClHjxrt154+FlwvvJ0zZ4SDkd8iCoW47Gg3GnBxkjFDhb5fNCrE/
z28b1oAkJZDGCn7Vi34TjxHj7dQoIRolMp6TG9ySp6u5Ag0EXego1wEQAOOuhp1U
OISYPpNZ5inZ4SKfT/1GypP3thdLovLqCa8rtyUTxHt4O8CMbxFAw9hxiVh+0ShO
2w1hrqCpWwGWcEOE+0B/rwFyamuVm0aAxd40VlM0nTKGxKkHDvY6OofYTjhVqhej
zjhpQmIptdqU/UJK558kHP0O1uH54E/llcGmnWIqJiDpNZhWr2kyu/CW/0tqawJy
V8XY/uLqfoSr+4glH9GmK1ymzdBQJZtO1RQ491MURxc45OqYWJN4N1Q6rTYguzQw
B5XBuiKJ9o6rGKh6BLhNCbdNVOoRMMXC5MVreNOiqbGdphAK56XMlxOWHdNq1Yg1
ezFPMjNhhSXCUvYkHVnfXRY3WT1j67Ted47HqZs/20r1rDWSz4B6U8vFnFOLM6kJ
3XK2dHJcFKfRFJdrfBqC4BMfnNOI4j/WgtcZQhR7Od+mJjWM+gZaNpvjiYOXCiD7
0H9z/JrM1caSJ5n3i/wayVFw0WwLHUEWPxEPlI8/LWW0nwkCa7wD0tuZqyu8U6o4
8+oNjMvFaHgILh0GnUPX2DLyK1yYCgHILI7oq7wpbqnxBqUhf6kglULwpFzA25fZ
rXVC3pZT7pyUnytFe+PUqn7ugExgAtYuB3Rss3hIsIJuwHNUpiSiJ/qWj2wgY/6v
WcVbaTWLY8mPypg7rfjGG13opEXrhp1v1k4JABEBAAGJAjwEGAEIACYCGwwWIQSA
MSm4+VyyOxNlI0Wwnaiza8gDSwUCZ+FN+QUJE2CBPAAKCRCwnaiza8gDS/GrD/wK
j8X7Bpv9x9FvHGE1I5JjwZzB45DOC2zals08SDUegrYKRe/S5s6kcAfxw1RTGuPn
sv6aNoQcJ5jf2xwmJUDDg2EzS59VoSiOz/hElB4YeKNq1x7hXd3SB1VmbPaEuusF
Phf22Oqqmf+wVE8de68N0ffA4/RowPz43Dz1sjLW6v0u1qQkftuZJ5cp4ERf1Gt4
26GRFs0XywXDfBaoqmwq/+ZujdFTl5M8B3cnRcemj+eZOB4XUYDfWyleuPey8z65
pAsAFPFudaAgL2nZwE/6l0Fp/IhVfn8/h5el8c+d69o3yQT62AsAbUT5bKNEd4Xu
lIWDHG2Cnin+PjM39EDy2VsslbeNMbjzmk23PR52rmIHgMnitc0P385EyAL5H/rd
NNndCP8MqWlIGw/OpwcnxQ9hF0+EbWThxdE1iLspyD5kyfiFmPIgWsYWaru0clLu
zWNx/K1o2yq2oytmVzg0jf/ERFjONg27JXyCCtdw5y6YpmUXhD1ORRm5MSz8Wxek
2W333cm6TSppn+enkPeHAzluNqyTONDA7WOYnIVZj/vtfVaVuGFTrJqDJpi9iJZE
TbJDZJPP/x5EQMHQh2/+nDar31WIvclzp0CbUnEtbRGGL/ucyJSQwtcuAe922WMS
/MexvbHB2x1A1INv/46wJfHyaKg5noHrdJM6UeTiEA==
=htXd
-----END PGP PUBLIC KEY BLOCK-----
Disclosure Policy
Discretionary Disclosure: The researcher or Volkis can request mutual permission to share details of the vulnerability after approval is explicitly received.
We value the work of researchers and the benefit of public disclosure. To that end, we encourage researchers to request permission from us prior to disclosing their findings. If permissions is granted, the researchers should ensure any sensitive and confidential information is removed or redacted prior to publishing.
Ground Rules
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy any other relevant agreements;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Contributors
We’d like to thank the following people for their awesome contribution to Volkis’s security, the security of our customers and the security of the Internet. You all rock!
Hacker | Criticality | Date |
---|---|---|
Shuai Yu | P4 | 2025-03-24 |
Dekow Mohamed Abdisalan | P4 | 2024-07-01 |
Prial Islam | P2 | 2022-10-28 |
Vibhor Sharma | P4 | 2022-09-10 |
Soman Verma | P3 | 2022-06-14 |
Ajay Sharma | P4 | 2021-12-03 |