Responsible Disclosure of VulnerabilitiesHall of Fame
Responsible Disclosure of Vulnerabilities
Hall Of Fame

Responsible Disclosure of Vulnerabilities

June 2022

We at CyberHawkz are dedicated to providing the best security products and services as possible. As a team of enthusiastic security researchers, we are working vigilantly every day to keep our customers information secure. But we truly believe nothing is completely secure, no matter how much effort we put. Therefore, we welcome responsible security researchers from the community to help us improve our products and services and secure users data.We take security very seriously and are constantly working to enhance the security flaw/vulnerability detections within our products. If you believe you have found an issue with our service or product, we thank you for bringing it to our attention. Please let us know privately and we will get back to you within 7-10 business days.

Rewards

CyberHawkz would like to thank you for helping us make our app safer for everyone. Although we are not offering monetary rewards for any vulnerabilities at this time,but we will send you a token of our appreciation in the form of an “AWESOME SWAG” if your submission is valid.

Scope

  • In-Scope Services

    Any products or services owned by CyberHawkz Intelligence Service.

  • Out-of-Scope Services

    Any 3rd party services.
    Staging Domain of CyberHawkz.

  • In-Scope Vulnerabilities

    We are interested in the following types of vulnerabilities:
    SQL injections
    Privilege Escalations
    Code Executions
    File inclusions (Local & Remote)
    Authentication Bypasses
    Leakage of sensitive data
    Administration portals without an authentication mechanism
    Open redirects that allow stealing tokens/ secrets
    Cross-Site Request Forgery (CSRF)
    Cross-Site Scripting (XSS)
    Server-Side Request Forgery (SSRF)
    Protection Mechanism bypasses (CSRF bypass, etc.)
    Directory Traversal

  • Out-of-Scope Vulnerabilities

    The types of vulnerabilities excluded include, but are not limited to:
    Self-XSS
    Tabnabbing
    Email Spoof
    Content Spoofing
    Missing cookie flags
    Best practices/ issues
    Content injection
    Long string validation/ DOS Attacks
    Clickjacking/ UI redressing
    HTTPS/SSL/ TLS Related Issues
    Physical or social engineering attacks
    Login/logout/ unauthenticated/ low-impact CSRF
    Unverified Results of automated tools or scanners
    No SPF/ DMARC in non-email domains/ subdomains
    Attacks requiring MITM or physical access to a user’s device
    Vulnerabilities affecting users of outdated browsers or platforms
    Error information disclosure that cannot be used for direct attack
    Missing security-related HTTP headers that do not lead directly to a vulnerability
    Xmlrpc.php open to the public
    User enumeration at endpoints
    Rate limiting absence at endpoints

Exclusions

  • While researching, please refrain from:

    Attempting to gain access to others accounts or data
    Distributed Denial of Service Atatcks(DDoS)
    Impacting/Affecting other Users
    Spamming Users/Employees associated CyberHawkz
    Social engineering or phishing attacks on CyberHawkz employees or contractors
    Any attacks against CyberHawkz physical property or data centers

Rules of Engagement

  • When submitting potential vulnerabilities, please share the following attributes for it to qualify as a valid submission:

    Description of the vulnerability
    Detailed steps to reproduce the vulnerability.
    Supporting material
    Proof of concept
    Impact of the vulnerability
    Exploit scenarios
    Mitigation/ Patch if available

Report

    Thanks for your findings! CyberHawkz values your assistance in helping keep our product secure. Please reach out contact[@]cyberhawkz[.]com with your vulnerability report, and we will acknowledge your email as soon as possible.