Responsible Disclosure

Reporting

  • Reach out to security@hippovideo.io, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
  • Please refrain from doing security testing in existing customer accounts.
  • When conducting security testing, make sure not to violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or to degrade user experience.
  • You’re allowed to disclose the discovered vulnerabilities only to security@hippovideo.com. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
  • If your finding is valid and unique, we would be happy to acknowledge your efforts in our Hall of Fame page.

    The following domains are in scope :

    • *.hippovideo.io

Out of Scope Vulnerabilities

  • Clickjacking / UI Redressing attack
  • Self-XSS and XSS that affects only outdated browsers
  • Using components of known vulnerability without relevant POC of attack
  • Host header and banner grabbing issues
  • Denial of Service attacks and Distributed Denial of Service attacks
  • Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout/low-business impact CSRF
  • Unrestricted file upload
  • Open redirects - unless they can be used for actively stealing tokens
  • Formula/CSV Injection
  • Vulnerabilities that requires physical access to the victim machine.
  • User enumeration such as User email, User ID etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Missing security best practices
  • Vulnerabilities found in third party services
  • Session fixation and session timeout


Security Acknowledgements

We want to thank and recognize the following individuals who have responsibly disclosed one or more security vulnerabilities in the Hippovideo suite of products and are enabling us to better serve our customers.

Acknowledgements by year :