We are committed to protecting our customers’ information. If you believe you’ve identified a security vulnerability, we appreciate your help in disclosing it in a responsible manner by notifying us by email at firstname.lastname@example.org.
Security is very important to us and we’ll investigate and respond to all vulnerability reports. We are most interested in vulnerabilities associated with vyond.com.
Please take note of the following points:
- Please describe the flaw(s) in sufficient detail, and state the ramifications of the exploits.
- Please include reproducible proof-of-concept if applicable, such as code snippets, request URLs and attack payloads, screenshots, packet trace files or video capture that demonstrate the exploit. If handy, list reference materials at external sites if they might help us better understand the nature of the issue.
- Please avoid reporting several types of vulnerabilities in the same email, as that may hinder us from aggregating similar vulnerability reports, and prevent us from quickly identifying critical vulnerabilities in due course. If you have multiple vulnerabilities to report, please send us an email for each type of vulnerability.
- Please do not engage in testing that can impact our customers or lead to degradation of service, such as denial of service attacks, social engineering and spam. Approval from Vyond is required prior to the use of automated scanners, e.g. Burp or Acunetix, against the site which generates a large volume of requests in a short period of time.
- You are not allowed to conduct penetration tests on the host level.
- You may not harvest information associated with any account that is not yours. In case you accidentally bumped into such information, you should report such vulnerability to us and expunge all locally stored copies of third-party data.
- Please keep your findings secret until we have confirmed and remediated the issues.
- We may contact you to request for additional information if your report does not carry sufficient information for us to understand the context of the issues being reported.
- We will get back to you between 1 business day to 1-3 weeks depending on the severity of the issue, and the quality of your report. Please do not bombard us with status-check inquiries.
- Qualifying disclosures may make you eligible for our hall of fame, as described below.
If a severe vulnerability is discovered, we appreciate your contribution by acknowledging your efforts on our hall of fame subject to the following provisions:
- If we receive multiple reports for the same vulnerability, only the first helpful report will be acknowledged.
- Vyond reserves the right to pick the “first helpful report” by evaluating factors including but not limited to the time of receipt and completeness of the submission. The guiding principle pursuant to helpfulness is how useful the submission in its own right has helped us in identifying and re-mediating a specific qualifying vulnerability.
- By submitting a vulnerability to us, you agree that the decision of whether an acknowledgment is to be provided remains the sole discretion of Vyond.
- Similarly, Vyond reserves the right to reject any vulnerability report at our discretion.
- Acknowledgments are currently listed on the security disclosure page. Vyond reserves the right to relocate the content to another URL as may be required in the future due to site restructuring or for any other reason.
- No monetary compensation will be provided.
- Please note that Clickjacking and CSRF vulnerabilities are only reviewed for sites and pages where the ease of exploit and risk to vyond.com.
The Security Disclosure Program is subject to change or cancellation by Vyond at any time, without notice. As such, Vyond may amend these terms at any time by posting a revised version on our website.
Here are some of the frequently-reported items that we are either in the process of remediating or have decided not to address at this point. Reports regarding these items are not eligible for acknowledgement in the Hall of Fame:
- Session management issues related to vyond.com related to long-running sessions and vulnerabilities that require cookie replay.
- Lack of specific security headers (e.g. HSTS).
Please note that the Vyond service sites that are not part of our web applications are not in the scope of our responsible disclosure program, and are not eligible for the Hall of Fame.
- Third-party endpoints (unless an insecure integration method is used in our in-scope web applications)
- Vyond marketing site (i.e. www.vyond.com)
- Vyond community site (community.vyond.com)
- Vyond support site (support.vyond.com / help.vyond.com)
The following lists examples of vulnerabilities that are eligible and ineligible, respectively, for consideration toward inclusion among the hall of fame. The lists are not exhaustive.
Examples of Qualifying Vulnerabilities
- Authentication bypass
- Cross site scripting
- Server-side code execution
- SQL Injection
- Privilege escalation
- Sensitive information exposure
Examples of Non-Qualifying Vulnerabilities
- Denial of Service
- Social Engineering
- Mixed-content scripts
- Insecure cookies
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Vulnerabilities specific to out of date browsers
- Web server banner disclosure
- Passage of potentially sensitive tokens on HTTP requests to pre-authorized third party widgets
We want to thank the following individuals for reporting vulnerabilities responsibly to us.
- Rodolfo Godalle (@rodgodalle)
- Koutrouss Naddara
- Osama Mahmood
- Thatipalli Abhishek
- Mihir Mistry
- Ch. Muhammad Osama (@ChMuhammadOsama)
- Arvind Singh Shekhawat (@EhArvindSingh)
- JAYVARDHAN SINGH (@Silent_Screamr)
- Saurabh Chandrakant Nemade (@SaurabhNemade)
- Anurag Giri
- mahipal singh rajpurohit (@rajgurumahi007)
- Sebastian Neef & Richard Kwasnicki
- Renatas Karpuška
- Muhammad Talha Khan (@M7K911)
- Kesav Viswanath Nimmagadda (@kesavnimmagadda)
- Kamil Sevi (@kamilsevi)
- ajay singh negi (@AjaySinghNegi)
- Nadi Abdellah
- Roy Jansen (@RoyJansen_01
- Jaidip Kotak (@JaidipKotak)
- Ahmed Y. Elmogy
- Ramin Farajpour Cami (@MF4rr3ll)
- Ahmed Jerbi
- Ayoub Ait Elmokhtar (@aessadek)
- Sandeep Sudhagani
- ABDULWAHAB Khan (@hackerwahab)
- Pal Patel
- RAVENAL PRAMOD KUMAR (@PramodRavela)
- İsmail BÜLBÜL (Usgf.org.tr)
- Ismail Tasdelen
- Faizan Ahmed
- Ather Iqbal
- Hanz Gumapac
- Akash Pandey (@HNTR03)
- Sagar Kumar Patra (@SagarPatra2705)