Responsible Disclosure Policy


Introduction

At Finoa, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cyber security risk. If you believe you have discovered a suspected cyber threat or security vulnerability that affects the confidentiality, integrity or availability of Finoa’s information, systems or services, please submit a report to our security team via one of the methods below. For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.


What’s not allowed?

While we encourage security research on our products and services, the following types of research are strictly prohibited:

  1. Accessing or attempting to access accounts or information you are not authorised to
  2. Any attempt to modify or destroy information
  3. Sending or attempting to send unsolicited or unauthorised email or other types of message
  4. Conducting social engineering (including phishing) on Group employees, contractors, customers or any other related party
  5. Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
  6. Exfiltration, disclosure or use of any proprietary or confidential information or data of Finoa (including customer data) under any circumstances
  7. Any physical attempts against Finoa property
  8. Any attempts of a Denial of Service (DoS/DDOS)
  9. Any activity or attempt to gain unauthorised access to Finoa software or systems in violation of law

Scope

Any Finoa owned website, web-service or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:

  1. www.Finoa.io
  2. login.Finoa.io
  3. api.Finoa.io
  4. Finoa 2FA mobile app on Android and iOS

Out of Scope Vulnerabilities

The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:

  1. Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit
  2. Third-party applications, websites or services that integrate
  3. Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact
  4. Missing security best practices, i.e. Security Headers, Mixed content, SSL/TLS, etc
  5. Rate limiting issues
  6. Password Policy
  7. CSRF vulnerabilities without any impact
  8. Host header injection without proof of user data extraction
  9. DoS/DDoS
  10. Autocomplete attribute on web forms
  11. Software version disclosure and verbose error pages (without proof of exploitability)
  12. Open ports without an accompanying proof-of-concept demonstrating vulnerability
  13. Disclosure of known public files or directories
  14. Use of outdated software/library versions
  15. Clickjacking on pages with no sensitive actions

Reporting a security issue

You can responsibly disclose suspected vulnerabilities to the Finoa’s cyber security team by emailing: security@finoa.io.


Report structure

To assist us in investigating your report, we recommend you follow the structure:

  1. Affected product or service, including affected URL(s)
  2. Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
  3. Date, time and time zone of when the suspected vulnerability was discovered
  4. IP address used when the suspected vulnerability was discovered
  5. Steps to reproduce the vulnerability (clear proof of concept)

Guidelines for Reporting

To ensure a collaborative approach, please respect the guidelines set out below.

  1. You are contacting us in your personal capacity and are at least 18 years of age or have your parent or guardian’s permission to contact us
  2. You will not engage in any activity that could harm Finoa, our customers, employees, services and/or assets
  3. You will not share, compromise or disclose any personally identifiable information
  4. You will only conduct security and vulnerability research with accounts you own or with the express consent of the account holder. You will not use social engineering or brute force methods to attempt to obtain confidential credentials
  5. You agree to comply with all applicable laws and regulations in connection with your security research activities
  6. You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter