Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Keeping user information safe and secure is a top priority and a core company value for us at inPhronesis. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all inPhronesis users.

Rewards

inPhronesis currently does not have a monetary reward program, but will publicly post thanks to security researchers that disclose vulnerabilities that adhere to this policy.

Applications in Scope

For now, the inPhronesis web application (invision.inphronesis.com) as well as the inPhronesis API are eligible for the bounty program. The inVision mobile app is currently in Beta and therefore is not in scope.

Eligibility and Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• Share the security issue with us in detail;
• Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope;
• Give us a reasonable time to respond to the issue before making any information about it public;
• Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to inPhronesis;
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
• Otherwise comply with all applicable laws.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

• Our policies on presence/absence of SPF/DMARC records.
• Password, email and account policies, such as email id verification, reset link expiration, password complexity.
• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
• Login/logout CSRF.
• Attacks requiring physical access to a user’s device.
• Missing security headers which do not lead directly to a vulnerability.
• Missing best practices (we require evidence of a security vulnerability).
• Hosting malware/arbitrary content on inPhronesis and causing downloads.
• Self-XSS (we require evidence on how the XSS can be used to attack another inPhronesis user).
• XSS on any site other than the following:
  invision.inphronesis.com
• We will accept reports of XSS on other inPhronesis.com subdomains but will not reward for them.
• Host header injections unless you can show how they can lead to stealing user data.
• Use of a known-vulnerable library (without evidence of exploitability).
• Reports from automated tools or scans.
• Reports of spam (i.e., any report involving ability to send emails without rate limits).
• Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
• Vulnerabilities affecting users of outdated browsers or platforms.
• Social engineering of inPhronesis employees or contractors.
• Any physical attempts against inPhronesis property or data centers.
• Presence of autocomplete attribute on web forms.
• Missing cookie flags on non-sensitive cookies.
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• Any report that discusses how you can learn whether a given username, email address has a inPhronesis account.
• Any access to data where the targeted user needs to be operating a rooted mobile device.
• Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.
• Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
• Ability to share links without verifying email.
• Absence of rate limiting, unless related to authentication.
• Reflected File Download vulnerabilities or any vulnerabilities that let you start a download to the user’s computer are out of scope.
• Devices (ios, android, desktop apps) not getting unlinked on password change.
• Hyperlink injection or any link injection in emails we send.
• Creating multiple account using same email is also out of scope.
• Phishing risk via unicode/punycode or RTLO issues.
• Being able to upload files with wrong extension in chooser.
• Editable Github wikis.

In general, any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.  While we appreciate the report, we may not follow up or provide thanks and attribution.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If your report addresses a vulnerability of an inPhronesis business partner, inPhronesis reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with inPhronesis’ bug bounty policy, inPhronesis will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Thanks

Special thanks and attribution to the Dropbox team for Open Sourcing their VDP as well as the DHS for their template.  If you have suggestions on how we can make this program better, please email us at support@inPhronesis.com.