Responsible Disclosure Policy
Reporting a security issue
We are currently operating an invite-only bug bounty with Intigriti. In order to participate, please register for an account with Intigriti . Then send an email to us at firstname.lastname@example.org with your @intigriti.me email address. We will then invite you to our bounty program. Once onboard, you will be able to review our bounty terms and scope, and safely share your findings with the team.
What’s not allowed?
While we encourage security research on our products and services, the following types of research are strictly prohibited:
- Use of a detected vulnerability to obtain more information than necessary for proving the vulnerability.
- Use of the detected vulnerability to spy, modify, delete or distribute any personal or sensitive data.
- Accessing or attempting to access accounts or information you are not authorized to
- Any attempt to modify or destroy information
- Sending or attempting to send unsolicited or unauthorized email or other types of message
- Conducting social engineering (including phishing) on Group employees, contractors, customers, or any other related party
- Posting, transmitting, uploading, linking to, sending, or storing malware that could impact our services, products, or customers
- Exfiltration, disclosure, or use of any proprietary or confidential information or data of Finoa (including customer data) under any circumstances
- Any physical attempts against Finoa property
- Any attempts of a Denial of Service (DoS/DDOS) attacks or brute force attacks against login pages
- Any activity or attempt to gain unauthorized access to Finoa software or systems in violation of the law.
Any Finoa-owned website, web service, or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:
- Finoa 2FA mobile app on Android and iOS
Out of Scope Vulnerabilities
The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:
- Any domain that is not listed in the Domains section, is out of scope for this program
- Self-XSS cannot be used to exploit other users
- Verbose messages/files/directory listings without disclosing any sensitive information
- CORS misconfiguration on non-sensitive endpoints
- Missing cookie flags
- Missing security headers
- Cross-site Request Forgery with no or low impact
- Presence of autocomplete attribute on web forms
- Reverse tabnabbing
- Bypassing rate limits or the non-existence of rate limits.
- Best practices violations (password complexity, expiration, re-use, etc.)
- Clickjacking on pages with no sensitive actions
- CSV Injection
- Hyperlink injection/takeovers
- Mixed content type issues
- Cross-domain referer leakage
- Anything related to email spoofing, SPF, DMARC or DKIM
- Content injection
- Username/email enumeration
- Email bombing
- HTTP Request smuggling without any proven impact
- Homograph attacks
- XMLRPC enabled
- Banner grabbing/Version disclosure
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Weak SSL configurations and SSL/TLS scan reports
- Not stripping metadata of images
- Disclosing API keys without proven impact
- Same-site scripting
- Subdomain takeover without having taken over the subdomain
- Arbitrary file upload without proof of the existence of the uploaded file
- Blind SSRF without proven business impact (DNS pingback only is not sufficient)
- Disclosed and/or misconfigured Google API key (including maps)
- Host header injection without proven business impact.
- In case a reported vulnerability was already known to the company, it will be flagged as a duplicate
- Theoretical security issues with no realistic exploit scenario(s), or issues that would require complex end-user interactions to be exploited, may be excluded or be lowered in severity
- Spam, social engineering, and physical intrusion
- DoS/DDoS attacks
- Brute force attacks against login pages
- Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
- Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
- Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available, would require a period of 2 weeks after the zero-day vulnerability has been disclosed, before reporting the same to us.
- Reports that state that software is out of date/vulnerable without a proof-of-concept.
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened
- The absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- Path disclosure in the binary
- Lack of jailbreak & root detection
- Crashes due to malformed URL Schemes
- Lack of binary protection (anti-debugging) controls, mobile SSL pinning
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken environment)
- API key leakage used for insensitive activities/actions
- Attacks requiring physical access to the victim's device
Safe harbor for researchers is applied
Finoa considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description, and restrictions (the Terms) to constitute “authorized” conduct under criminal law.
Ethical hacking is the activities performed on behalf of Finoa with the intention of helping and supporting Finoa in the identification of cybersecurity risks listed under Scope and for their fix.
Finoa will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will we file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.
If legal action is initiated by a third party against you and you have complied with the Terms, Finoa will take steps to make it known that your actions were conducted in compliance and with our approval.
Notwithstanding, Finoa preserves the right to pursue civil or criminal action or initiate a complaint, filing a complaint for circumventing technological measures if it is of the opinion that the restricted activities under “What’s not allowed” section are performed or the hacking activities are performed with malicious intentions.
If you’re not sure whether your conduct complies with this policy, please contact us first at email@example.com and we will do our best to clarify.
To ensure a collaborative approach, please respect the guidelines set out below
- You are contacting us in your personal capacity and are at least 18 years old or have reached the age of 16 yrs and have permission from your parent or guardian.
- You will only conduct security and vulnerability research as a black box unless being given an account by Finoa explicitly for bug bounty test purposes. You will not use social engineering or brute force methods to attempt to obtain confidential credentials. You will not engage in any activity that could harm Finoa, our customers, employees, services and/or assets.
- You agree to comply with all applicable laws and regulations in connection with your security research activities
- You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter.
- Nothing in connection with your submission of a vulnerability shall indicate that you are an employee of Finoa and the relationship between you and Finoa shall not constitute a partnership, joint venture, or agency. You shall not have the authority to make any statement, representation, or commitment on Finoa’s behalf.
On behalf of ourselves and our users and customers, thank you again for helping us improve our cybersecurity.
Finoa reserves the right, in its sole discretion, to modify the terms of the Responsible Disclosure Guidelines or to terminate any or all of them at any time.