Vulnerability Disclosure Program

Overview

This is a responsible disclosure program. Please, do read carefully every part of this program. We want you to help us improve the security of our application in order to protect the privacy of our users.

As this is a production environment, you have to be really careful and never bring the application or any related services/server down as it’s used on a daily basis. Please, don't do anything that can harm our customers and/or their data.

All reports are reviewed on a case-by-case basis, and any exploitable report that substantially affects the confidentiality, integrity or availability of any eligible of our services will at a minimum receive Hall of Fame recognition.

Eligible vulnerabilities include, but are not limited to:

  • Cross Site Scripting (XSS)
  • Authentication and Authorization Flaws
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution
  • SQL Injection
  • Directory Traversal
  • Privilege Escalation
When you report, please have in mind these good practices:
  • The more detailed your steps for reproducing the bug, the better. This should include any pages that you visited, user IDs, links clicked, etc.
  • Images are always useful.
  • Exploit POC code that consistently works can allow us to verify your vulnerability more quickly.
  • Remember – details, details, details! which permits us and you to gain time by triaging the vulnerability quicker.

How do I submit a bug report?

You can submit a bug report through this link https://app.yogosha.com/cvd/netim/17wvCg0TYQMPLidfTohLkT

A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept. Video and screenshots can illustrate bug report, but can not replace it. If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if security researcher can explain how exactly he or she found a given vulnerability.

Out of scope

The following actions do not qualify for Coordinated Disclosure and should not be tested when participating in the Program:

  • DoS or DDoS attacks
  • Physical Attacks against our properties or data centers
  • Phishing and Social Engineering Attacks
  • Missing http security headers which do not lead to a vulnerability (you must deliver a proof of concept that leverages their absence)
  • Vulnerabilities in third-party applications or services which use or integrate with our services and applications.
  • Reports from automated tools or scans without an exploitation proof of concept
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL best practices or insecure ciphers (unless you have a working proof of concept, and not just a report from a scanner)
We will not accept reports from automated vulnerability scanners hence aggressive scans are not tolerated to avoid services disturbance.