Reach out to email@example.com, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
Please refrain from doing security testing in existing customer accounts.
When conducting security testing, make sure not to violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or to degrade user experience.
You’re allowed to disclose the discovered vulnerabilities only to firstname.lastname@example.org. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
If your finding is valid and unique, we would be happy to acknowledge your efforts in our Hall of Fame page.
The following domains are in scope :
Out of Scope Vulnerabilities
Clickjacking / UI Redressing attack
Self-XSS and XSS that affects only outdated browsers
Using components of known vulnerability without relevant POC of attack
Host header and banner grabbing issues
Denial of Service attacks and Distributed Denial of Service attacks
Missing HTTP security headers and cookie flags on insensitive cookies
Rate limiting, brute force attack
Login/logout/low-business impact CSRF
Unrestricted file upload
Open redirects - unless they can be used for actively stealing tokens
Vulnerabilities that requires physical access to the victim machine.
User enumeration such as User email, User ID etc.,
Phishing / Spam (including issues related to SPF/DKIM/DMARC)
Missing security best practices
Vulnerabilities found in third party services
Session fixation and session timeout
We want to thank and recognize the following individuals who have responsibly disclosed one or more security vulnerabilities in the Hippovideo suite of products and are enabling us to better serve our customers.