IDN
ENG
Vulnerability Disclosure Policy
Introduction
This website is operated by Hacktiv8. Throughout the site, the terms “we”, “us”, “our” and “our” refer to Hacktiv8. This website and its domains are names and domains affiliated with Hacktiv8, and the pages, links, features, content and services offered by Hacktiv8 are owned and operated entirely by Hacktiv8
Hacktiv8 is committed to bringing positive impacts to society. We are committed to the securing of our corporate systems, the protection of data entrusted to us by our clients and partners, and the reliability of our products and/or services. Therefore, we welcome any independent security researchers to discover any vulnerabilities that Hacktiv8’s electronic systems or applications may have
This Vulnerability Disclosure Policy is intended to provide clear guidelines for independent security researchers for conducting vulnerability discovery activities, the terms and conditions for conducting such activities directed at Hacktiv8’s electronic systems or applications, and submitting the discovered vulnerabilities to us. We require that all submissions remain confidential and are not disclosed to any other parties.
Please note that Hacktiv8 does not operate a bug bounty program. By submitting a vulnerability report, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Hacktiv8 related to your submission. However, we highly appreciate your efforts in identifying vulnerabilities or errors in our systems, as your feedback will contribute to improving the security and reliability of our products and services. Thank you for helping keep Hacktiv8 and our users safe.
Hacktiv8 is committed to bringing positive impacts to society. We are committed to the securing of our corporate systems, the protection of data entrusted to us by our clients and partners, and the reliability of our products and/or services. Therefore, we welcome any independent security researchers to discover any vulnerabilities that Hacktiv8’s electronic systems or applications may have
This Vulnerability Disclosure Policy is intended to provide clear guidelines for independent security researchers for conducting vulnerability discovery activities, the terms and conditions for conducting such activities directed at Hacktiv8’s electronic systems or applications, and submitting the discovered vulnerabilities to us. We require that all submissions remain confidential and are not disclosed to any other parties.
Please note that Hacktiv8 does not operate a bug bounty program. By submitting a vulnerability report, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Hacktiv8 related to your submission. However, we highly appreciate your efforts in identifying vulnerabilities or errors in our systems, as your feedback will contribute to improving the security and reliability of our products and services. Thank you for helping keep Hacktiv8 and our users safe.
Test Methods
We encourage you to contact us to report potential vulnerabilities in our systems:
- Do not intentionally damage or degrade the integrity of Hacktiv8’s services.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Make a good faith effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Restricted Actions
While conducting tests to discover vulnerabilities, we ask you to refrain from:
The aforementioned list are the unauthorized test methods and actions that you shall not perform. Performing any of those actions will constitute a violation to this policy.
- Conducting network denial of service (DoS or DDoS) tests or other tests that impair access to or damage Hacktiv8’s system or data.
- Conducting physical testing (e.g. office access, open doors, tailgating), spamming, social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Forcing brute force credentials or guess credentials to gain access to systems.
- Exploiting any vulnerabilities found.
- Publicly disclosing a vulnerability without our review and explicit prior written consent.
- Engaging or targeting any of Hacktiv8’s employees, customers, partners, vendors or suppliers during your testing.
- Attempting to extract, download, or otherwise exfiltrate data that may have Personal Identifiable Information (PII) or other sensitive data other than your own.
- Engaging in activities that would be considered a privacy violation, cause destruction of data, or interrupt or degrade Hacktiv8’s service.
- Leaking, modifying, destroying, misusing, or abusing any data or system files.
The aforementioned list are the unauthorized test methods and actions that you shall not perform. Performing any of those actions will constitute a violation to this policy.
Out-of-scope Vulnerabilities
- Presence, absence, or incomplete configuration of DMARC records and related email configuration
- XSS on any domain other than hacktiv8.com and hacktiv8.ac.id
- XSS that impacts intra-workspace colleagues
- HTTP security headers, CSRF issues, and other low-risk issues
- Subdomain takeover without verifiable evidence.
- Account harvesting (e.g. username enumeration on WordPress).
- Gaining access to keys and credentials without being able to use them.
- Lack of rate-limiting on API endpoints, unless there is no limit on tokens/pins with digits that allow brute-forcing (e.g. 4 digit passcodes without validation for request limits).
- Security vulnerabilities found on rooted mobile devices.
- UUID enumeration.
- SSL Pinning vulnerabilities.
- Invite/Promo code enumeration.
- Open redirects. 99% of open redirection vulnerabilities have a low security impact, however, we also consider rare cases where there is a high security impact, such as theft of oauths tokens.
- Reporting outdated or vulnerable software versions without evidence or real impact. Reporting vulnerabilities that only affect outdated versions of user agents or applications. We only consider exploits performed using the latest versions of web browsers such as Safari, FireFox, Chrome, Edge, IE and versions of applications available on the Google Playstore or AppStore.
- Stack traces, path disclosures, and directory listings.
- CSV injection.
- Vulnerabilities with no immediate impact.
- Reports that only speculate on a theoretical vulnerability without any evidence of the vulnerability.
- Vulnerabilities that cannot be exploited by other users or Hacktiv8 – e.g. Self-XSS (usually done by embedding JavaScript in the browser console).
- Vulnerabilities that are in a sandbox or staging environment.
- Vulnerabilities reported by automated applications without any additional analysis of how the vulnerability was discovered.
- Vulnerabilities reported by automated web application scanners (Acunetix, Vega, etc.) without manual validation.
- Distributed denial of service attacks (DDOS) or activities that could cause disruption to service.
- Content injection vulnerabilities. Cross-site Request Forgery (CSRF) with minimal security impact (Logout CSRF, etc.)
- Missing cookie flags on non-authentication cookies.
- Email Spoofing.
- Missing HTTP security headers.
- Lack of HTTPOnly and Secure cookie flags.
- Security vulnerabilities that require access to the physical device or computer of the victim.
- SSL/TLS scan reports (results obtained from online applications such as SSL Labs).
- Banner grabbing vulnerabilities (such as getting the version of the web server we are using).
- Open port vulnerabilities without being able to explain how the security vulnerabilities are and the impact of the security vulnerabilities.
- Broken Link Hijacking.
Disclosure Policy
Upon discovery of a potential security issue, please provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
Reporting
Vulnerabilities can be reported to our security team by sending an email to halo@hacktiv8.com with a detailed description and proof of concept that highlights the vulnerabilities.
Supplying your contact information with your report is entirely voluntary and at your discretion. Supplying your contact information does not guarantee that you will receive any responses from Hacktiv8 regarding your report. We may contact you regarding the contents of the report at its own sole discretion.
In order to help us triage and prioritize submissions, we recommend that your reports:
We would appreciate that you do not submit a high volume of low-quality reports.
By submitting a vulnerability report to Hacktiv8, you expressly agree to the following terms:
Supplying your contact information with your report is entirely voluntary and at your discretion. Supplying your contact information does not guarantee that you will receive any responses from Hacktiv8 regarding your report. We may contact you regarding the contents of the report at its own sole discretion.
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
We would appreciate that you do not submit a high volume of low-quality reports.
By submitting a vulnerability report to Hacktiv8, you expressly agree to the following terms:
- You assign all use and ownership rights of the report to Hacktiv8.
- Your actions and interactions with Hacktiv8 leading up to the report are not in violation of any applicable laws.
- You have no intention of harming Hacktiv8, its customers, employees, partners, vendors, or suppliers.
- In conducting the test to expose vulnerabilities, you make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our electronic systems, products and/or services.
- You agree to not disclose any information about the report and vulnerability described within, and the fact that you submitted a report to Hacktiv8.
- You agree that the report is made out of goodwill, and is done without any expectations of rewards, monetary or otherwise, from Hacktiv8.
- You agree to not exploit a security issue that you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- You agree to not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
- If you want to publish the vulnerability you are reporting, you agree to give Hacktiv8 reasonable time to fix it and you can disclose it to the public after you receive an explicit prior written approval from Hacktiv8 and at least 3 (three) months after the discovered vulnerability is fixed.
- Hacktiv8 reserves the right to decide in its sole discretion whether the submitted reports are allowed to be published to the public or not.
- Reports with critical severity are not allowed to be published by researchers without prior explicit written consent from Hacktiv8.
- If you publish reports for any reason without Hacktiv8’s explicit prior written consent, you agree that Hacktiv8 has the right to take any legal action against you.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conducts and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Hacktiv8 reserves any legal rights available, both through civil and criminal proceedings, in the event of non-compliance with this policy
Hacktiv8 reserves any legal rights available, both through civil and criminal proceedings, in the event of non-compliance with this policy
Contact Information
Questions regarding this policy may be sent to halo@hacktiv8.com. We also invite you to contact us with suggestions for improving this policy.