Responsible Disclosure Policy
Introduction
At Finoa, we are committed to ensuring the security of our information, systems, and services and value the role of security researchers in helping us mitigate cyber security risks. If you believe you have discovered a suspected cyber threat or security vulnerability that affects the confidentiality, integrity, or availability of Finoa’s information, systems, or services, please submit a report to our security team via one of the methods below. For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues. By submitting a vulnerability report, you are agreeing to the terms below (the “Terms of Use”), which are intended to protect both you and us.
Reporting a security issue
If you have identified a security vulnerability, please send us a notification as soon as possible via email to security@finoa.io.
Please include the following information in your report:
- the type of vulnerability identified
- the service/product/URL impacted by the vulnerability
- a detailed description of the vulnerability
- the information necessary to reproduce the issue
- the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery
- any files that can help in reproducing the vulnerability (e.g. screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.)
We only accept submissions that contain a complete proof of concept that includes a description of how the vulnerability can be exploited and how this impacts the services of Finoa.
What’s not allowed?
While we encourage security research on our products and services, the following types of research are strictly prohibited:
- Use of a detected vulnerability to obtain more information than necessary for proving the vulnerability.
- Use of the detected vulnerability to spy, modify, delete or distribute any personal or sensitive data.
- Accessing or attempting to access accounts or information you are not authorized to
- Any attempt to modify or destroy information
- Sending or attempting to send unsolicited or unauthorized email or other types of message
- Conducting social engineering (including phishing) on Group employees, contractors, customers, or any other related party
- Posting, transmitting, uploading, linking to, sending, or storing malware that could impact our services, products, or customers
- Exfiltration, disclosure, or use of any proprietary or confidential information or data of Finoa (including customer data) under any circumstances
- Any physical attempts against Finoa property
- Any attempts of a Denial of Service (DoS/DDOS) attacks or brute force attacks against login pages
- Any activity or attempt to gain unauthorized access to Finoa software or systems in violation of the law.
Scope
Any Finoa-owned website, web service, or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:
- www.Finoa.io
- login.Finoa.io
- api.Finoa.io
- Finoa 2FA mobile app on Android and iOS
Out of Scope Vulnerabilities
The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:
Domains
- Any domain that is not listed in the Domains section, is out of scope for this program
- Application
- Self-XSS cannot be used to exploit other users
- Verbose messages/files/directory listings without disclosing any sensitive information
- CORS misconfiguration on non-sensitive endpoints
- Missing cookie flags
- Missing security headers
- Cross-site Request Forgery with no or low impact
- Presence of autocomplete attribute on web forms
- Reverse tabnabbing
- Bypassing rate limits or the non-existence of rate limits.
- Best practices violations (password complexity, expiration, re-use, etc.)
- Clickjacking on pages with no sensitive actions
- CSV Injection
- Hyperlink injection/takeovers
- Mixed content type issues
- Cross-domain referer leakage
- Anything related to email spoofing, SPF, DMARC or DKIM
- Content injection
- Username/email enumeration
- Email bombing
- HTTP Request smuggling without any proven impact
- Homograph attacks
- XMLRPC enabled
- Banner grabbing/Version disclosure
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Weak SSL configurations and SSL/TLS scan reports
- Not stripping metadata of images
- Disclosing API keys without proven impact
- Same-site scripting
- Subdomain takeover without having taken over the subdomain
- Arbitrary file upload without proof of the existence of the uploaded file
- Blind SSRF without proven business impact (DNS pingback only is not sufficient)
- Disclosed and/or misconfigured Google API key (including maps)
- Host header injection without proven business impact.
General
- In case a reported vulnerability was already known to the company, it will be flagged as a duplicate
- Theoretical security issues with no realistic exploit scenario(s), or issues that would require complex end-user interactions to be exploited, may be excluded or be lowered in severity
- Spam, social engineering, and physical intrusion
- DoS/DDoS attacks
- Brute force attacks against login pages
- Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
- Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
- Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available, would require a period of 2 weeks after the zero-day vulnerability has been disclosed, before reporting the same to us.
- Reports that state that software is out of date/vulnerable without a proof-of-concept.
Mobile
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened
- The absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- Path disclosure in the binary
- Lack of jailbreak & root detection
- Crashes due to malformed URL Schemes
- Lack of binary protection (anti-debugging) controls, mobile SSL pinning
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken environment)
- API key leakage used for insensitive activities/actions
- Attacks requiring physical access to the victim's device
Safe harbor for researchers is applied
Finoa considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description, and restrictions (the Terms) to constitute “authorized” conduct under criminal law.
Ethical hacking is the activities performed on behalf of Finoa with the intention of helping and supporting Finoa in the identification of cybersecurity risks listed under Scope and for their fix.
Finoa will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will we file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.
If legal action is initiated by a third party against you and you have complied with the Terms, Finoa will take steps to make it known that your actions were conducted in compliance and with our approval.
Notwithstanding, Finoa preserves the right to pursue civil or criminal action or initiate a complaint, filing a complaint for circumventing technological measures if it is of the opinion that the restricted activities under “What’s not allowed” section are performed or the hacking activities are performed with malicious intentions.
If you’re not sure whether your conduct complies with this policy, please contact us first at security@finoa.io and we will do our best to clarify.
Terms of Use and Guidelines for Reporting
To ensure a collaborative approach, please respect the guidelines set out below
- You are contacting us in your personal capacity and are at least 18 years old or have reached the age of 16 yrs and have permission from your parent or guardian.
- You agree that any oral or written information exchanged between you and Finoa in connection with this Terms of Use is confidential. You will maintain confidentiality of all such confidential information and will not disclose any relevant confidential information, including information you obtained during testing to any third parties without obtaining the written consent of Finoa. You also agree to delete all confidential information obtained during testing immediately after reporting to us.
- You will only conduct security and vulnerability research as a black box unless being given an account by Finoa explicitly for security testing purposes. You will not use social engineering or brute force methods to attempt to obtain confidential credentials. You will not engage in any activity that could harm Finoa, our customers, employees, services and/or assets.
- You agree to comply with all applicable laws and regulations in connection with your security research activities
- You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter.
- By submitting information relating to a vulnerability, you grant us a perpetual, worldwide, royalty-free, fully paid-up license to use and disclose any information you submit, including any proofs of concept, patches, improvements, suggestions, code samples, or any other information, in connection with the vulnerability to analyze, remediate or improve our systems and networks, incorporate it into our products or services, and to conduct further testing, or for any other legitimate business purpose. We do not grant you any intellectual property rights to any image, information, writing, invention, code, or other creation in connection with these Terms of Use.
- Nothing in connection with your submission of a vulnerability shall indicate that you are an employee of Finoa and the relationship between you and Finoa shall not constitute a partnership, joint venture, or agency. You shall not have the authority to make any statement, representation, or commitment on Finoa’s behalf.
- Finoa, its affiliates, representatives, contractors, and employees shall not be liable to you in connection with these Terms of Use for any direct, indirect, exemplary, incidental, special, or consequential damages. Unless otherwise agreed by Finoa, any information submitted by you in connection with a vulnerability is provided at no charge and Finoa shall not owe you any fee for that submission or any services performed or expenses incurred.
On behalf of ourselves and our users and customers, thank you again for helping us improve our cybersecurity.
Finoa reserves the right, in its sole discretion, to modify the terms of the Responsible Disclosure Guidelines or to terminate any or all of them at any time.