Vulnerability Disclosure Program

Committed to Security

IPONWEB is committed to providing the best security possible, and this means being open to independent & public contributions to our platform’s security via the discovery and submission of vulnerabilities. The purpose of this program is to outline the rules of engagement for an independent security researcher (an individual who is not employed by, or contracted by IPONWEB, directly or indirectly), what we will accept as a vulnerability, and what a researcher can expect from us.

At IPONWEB, we define a security vulnerability as an unintended weakness in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or service. When reporting vulnerabilities, please consider the attack scenario/exploitability, and the security impact of the bug.

The following issues are considered out of scope:

  • Denial of service attacks
  • Password cracking attempts (except the use of default passwords), including but not limited to:
    • brute forcing
    • rainbow attacks
    • word list substitution
    • pattern checking
  • Clickjacking on pages with no sensitive actions
  • Attacks requiring takeover of the email or social account authenticating the victim account.
  • Tab-nabbing on non-user-provided links
  • Unauthenticated/logout/login CSRF
  • Attacks requiring MITM or physical access to a user’s device
  • Previously known vulnerable libraries without a working Proof of Concept (PoC)
  • Comma Separated Values (CSV) injection without demonstrating exploitation via a PoC
  • Missing best practices in SSL, TLS and HTTP header configuration
  • Social engineering attacks (including phishing, vishing, smishing)
  • Software version disclosure
  • Issues requiring direct physical access to hardware
  • Flaws affecting out-of-date browsers and plugins
  • Email enumeration/account oracles
  • CSP weaknesses
  • Email spoofing
  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

We will investigate all eligible reports and do our best to fix valid issues quickly.

Disclosure Policy

We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. When disclosing a vulnerability to us, we request that it is submitted with a detailed description of the issue and the steps required to reproduce what you have observed.

It is important to make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity. You agree that you will not disclose vulnerability information to any other third party until granted permission to do so from Iponweb. We endeavor to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.

Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other users’ data – in other words, violate this policy.

Program Rules

  • The severity of a vulnerability within a report will be verified using the NVD CVSSv3.1 calculator and within the context of our application. The severity rating coming from that calculation will be considered final.
  • Bounties are not guaranteed and are issued solely at the discretion of Iponweb.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • You must disclose all possible ways to exploit an issue in your original report. Iponweb will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing this process by not providing complete information in your initial report.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward. This usually requires a working PoC typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof, and you may be asked to provide additional information.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate a combined impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)

General Prohibitions

We ask that you make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Specifically prohibited are the following:

  • Social engineering (e.g. phishing, vishing, smishing).
  • Lateral movement from a compromised host.
  • Any manipulation or further exploit past the initial PoC.
  • Defacing, degrading, or otherwise altering a live system.

Reports

Please submit your report to security@iponweb.net. Your report should include the following:

  • A detailed description of the issue,
  • The steps required to reproduce what you have observed. This should include screenshots or videos.
  • A description of how you found the issue

As noted above, within your report, please make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity. Please consider obfuscating or redacting content where it is reasonably possible.

Bounties

IPONWEB’s default policy acknowledges all researchers who submit a valid security vulnerability report. Bounties will only be awarded after an IPONWEB security team member has confirmed the issue during the triage & verification process.

As noted previously, we’re taking a first-come, first-served approach to bounties. if the vulnerability disclosed is already known to us, and is already being acted on internally, it will be considered a duplicate, and we will not pay a bounty.

We will generally award bounties soon after we have verified them, and we will not wait until the issue is remediated, as some issues may have long lead times in deploying fixes.

In all cases, bounties are paid at the discretion of IPONWEB, and are only awarded for actual security or privacy-impacting reports, and not for functionality or other types of bugs. The table below serves as a reference for what bounties may be paid according to the severity of the vulnerability. It is important to note that these scores are inclusive both of public vulnerability data as well as our internal context. A vulnerability with a critical CVSS score found on a system that has an extremely low value to us, may not get a critical severity score.

Severity Scores Severity Min Bounty (USD) Max Bounty (USD)
0,1 3,9 Low $50 $100
4 6,9 Medium $100 $250
7 8,9 High $500 $750
9 10 Critical $750 $1 000

 

Response times

Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.

IPONWEB will use all reasonable efforts to meet the following timelines:

  • Time to acknowledge receipt of submission – 1 business day
  • After acknowledgment, time to triage & verify – 10 business days
  • After verification, respond and if applicable, arrange for a bounty payment – 2 business days

We’ll try to keep you informed about our progress throughout the process.

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

 

Bounties

IPONWEB’s default policy is to acknowledge all researchers who submit a valid security vulnerability report. Bounties will only be awarded after an IPONWEB team member has confirmed the issue during the Triage process.

As noted previously, we’re taking a first-come, first-served approach to bounties. if the vulnerability disclosed is already known to us and is already being acted on internally, we will not pay a bounty.

We generally won’t wait to award a bounty until after the item is fixed, as we understand some issues may have longer lead times in deploying fixes. Bounties are only awarded for actual security or privacy-impacting reports, and not for functionality or other types of bugs.

 

Response Times

Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.

IPONWEB will use all reasonable efforts to meet the following timelines:

  • Time to acknowledge receipt of submission – 1 business day
  • From acknowledgment, time to triage & verify – 2 business days
  • From verification, time to classify and respond – 10 business days

We’ll try to keep you informed about our progress throughout the process.

 

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.