Responsible Disclosure


Notice:

We have decided to temporarily suspend the bug bounty program to catch up on the backlog of reports and prioritize other improvements on our roadmap. We will update this message when the bounty program is open to new submissions again.

Introduction:

At the Hyperstack Corporation, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

  • E-mail your findings to hello@thehyperstack.com
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
  • Do not reveal the problem to others until it has been resolved,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date,
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report,
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • We will keep you informed of the progress towards resolving the problem,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise), and
  • As a token of our gratitude for your assistance, Critical & High severity valid bug reporters will be listed on Hyperstack's wall of Fame. Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page.
  • We currently do not offer any monetary compensation. However, we may send out Hyperstack swag in some cases.
  • Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.

Valid Vulnerability Categories

Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties

  • 1. Cross-Site Request Forgery ** - With significant security impact
  • 2. Cross-Site Scripting ** Self-XSS is out of scope
  • 3. Open Redirects ** With significant security impact
  • 4. Cross Origin Resource Sharing ** With significant security impact
  • 5. SQL injections
  • 6. Server Side Request Forgery
  • 7. Privilege Escalation
  • 8. Local File Inclusion
  • 9. Remote File Inclusion
  • 10. Leakage of Sensitive Data
  • 11. Authentication Bypass
  • 12. Directory Traversal
  • 13. Payment Manipulation
  • 14. Remote Code Execution

In Scope Domain

studio.thehyperstack.com

Out of Scope

  • Price manipulation WITHOUT SUCCESSFUL TRANSACTION
  • Any services hosted by 3rd party providers and services not provided by Hyperstack
  • Any service that is not mentioned in the In Scope domains section
  • IDOR references for objects that you have permission to access
  • Duplicate submissions that are being remediated
  • Known issues
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Open redirects
  • Clickjacking and issues only exploitable through clickjacking
  • Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
  • Issues without clearly identified security impact such as missing security headers.
  • Vulnerabilities requiring physical access to the victim's unlocked device.
  • Formula Injection or CSV Injection
  • DOM Based Self-XSS and issues exploitable only through Self-XSS.
  • System and Infrastructure Related
    • Networking issues or industry standards
    • Email related:
      • SPF or DMARC records
      • Gmail "+" and "." acceptance
      • Email bombs
      • Unsubscribing from marketing emails
    • Information Leakage:
      • HTTP 404 codes/pages or other HTTP non-200 codes/pages
      • Fingerprinting / banner disclosure on common/public services
      • Disclosure of known public files or directories (e.g. robots.txt)
    • Cacheable SSL pages
    • Login and Session Related
      • Forgot Password page bruteforce and account lockout not enforced
      • Lack of Captcha
      • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
      • Session Timeouts

Eligibility

  • Be the first to report the issue to us.
  • Must pertain to an item explicitly listed under Vulnerability Categories.
  • Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
  • You agree to participate in testing the effectiveness of the countermeasure applied to your report.
  • You agree to keep any communication with Hyperstack private.

Public Disclosure Policy:

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means: "THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

Conclusion

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved. Hyperstack reserves the rights to discontinue the reward program without previous notice at any time. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Hyperstack employees and their family members are not eligible for bounties.

Bug Bounty Hall of Fame

On behalf of the Hyperstack and the thousands of people who visit our sites, use Hyperstack and our other products we would like to thank them for their hard work in helping to make us more secure. Congratulations to everybody who has participated!

1st Quarter 2021

Abhijith A
Responsible DisclosurePlease do the followingWhat we promiseValid Vulnerability CategoriesIn Scope DomainOut of ScopeEligibilityPublic Disclosure PolicyConclusionHall of Fame