Posted on April 14, 2017 6:13 pm

Responsible Disclosure Policy

Responsible Disclosure Policy

Version 2.9 – November 2016

Responsible Disclosure

We are dedicated to maintaining the security and privacy of the Aptible platform. We welcome security researchers from the community who want to help us improve our services.

If you discover a security vulnerability, please give us the chance to fix it by emailing us at security@aptible.com. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.

Thank you for your work and interest in making the community safer and more secure!

Bounty Program

Aptible rewards security researchers for reporting vulnerabilities. Please email security@aptible.com to report an issue.

If you would like to be eligible for a bounty, please read this carefully.

Rules

  1. NEVER attempt to gain access to another user’s account or data.
  2. NEVER attempt to degrade the services.
  3. NEVER impact other users with your testing.
  4. Test only on in-scope domains, listed below.
  5. Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.

Doing any of the above will render you ineligible for cash bounties.

Scope

Only the following services are in-scope:

  • api.aptible.com
  • auth.aptible.com
  • dashboard.aptible.com
  • gridiron.aptible.com
  • compliance.aptible.com
  • billing.aptible.com

The following types of reports/attacks are out of scope. Do not attempt them:

  • DOS attacks
  • Brute forcing login/account management pages
  • Physical vulnerabilities
  • Social engineering attacks (e.g. phishing)

The following types of bugs do not qualify for bounties:

  • CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
  • Self-XSS and issues exploitable only through Self-XSS
  • Clickjacking and issues only exploitable through clickjacking
  • Functional, UI and UX bugs and spelling mistakes
  • Descriptive error messages (e.g. stack traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP error codes/pages
  • Banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Presence of application or web browser “autocomplete” or “save password” permission
  • Email auth (SPF records, etc)
  • User enumeration on login

Top Researchers

  • Frans Rosen
  • Adam Enger
  • Mohammed Shameem Shahnawaz
  • Josha Bronson, Bronsec Inc.
  • Jubaer Al Nazi, ServerGhosts, Bangladesh
  • Ali Hassan Ghori
  • Nessim Jerbi

PGP

If you choose to email us, encrypting your email is not required. Should you deem it necessary, our public key for