Responsible Disclosure

Peoplebox will engage with external security researchers when vulnerabilities are reported according to the rules set about in the responsible disclosure policy.

Rules
Any vulnerabilities submitted through this policy must adhere to the following rules:

  1. Submissions must adhere to the scope mentioned in this policy.
  2. Any information about the vulnerability must remain confidential between Peoplebox and yourself indefinitely.
  3. The vulnerability cannot be disclosed in any medium or form.
  4. The vulnerability cannot be disclosed in any medium or form.
  5. Do not perform an attack that would compromise the integrity of Peoplebox’s services.
  6. DDOS for example is NOT allowed.
  7. You waive claims of any nature arising out of a disclosure accepted by Peoplebox.

Requests for Compensation

We do not provide monetary compensation for any vulnerability reported. Requesting compensation will make you non compliant with this policy. Peoplebox may however choose to send swag at its own discretion.

Scope
In Scope:
The following targets are considered in scope:

  1. Peoplebox website located at https://peoplebox.ai and https://peoplebox.com
  2. Peoplebox’s web application located at https://{subdomain}.peoplebox.ai and https://{{subdomain}}.peoplebox.com

Out of scope:

  1. Social engineering
  2. DDOS
  3. Automation scripts and tools
  4. Any spelling mistakes
  5. Any UI/UX bugs
  6. Issues that do not affect the latest version of modern browsers
  7. General best practice concerns
  8. Same issue under multiple subdomains
  9. Self XSS
  10. Open Redirect without proven security impact
  11. Brute Force attacks
  12. Man-in-the-Middle attack
  13. Clickjacking without proven security impact
  14. Disclosed Google API keys
  15. Verbose messages/errors without disclosing any sensitive information
  16. CORS misconfiguration on non-sensitive endpoints
  17. Missing cookie flags
  18. Missing security headers
  19. Tab-nabbing
  20. Host Header Injection
  21. Cross-domain referrer leakage
  22. Email spoofing, SPF, DMARC or DKIM
  23. Email bombing
  24. Version disclosure
  25. Issues that require unlikely user interaction
  26. Broken link hijacking (e.g. social media links)
  27. Weak SSL/TLS configurations reports
  28. Disclosing API keys without any security impact
  29. Physical attacks – Attacks that require physical access to a victim’s device
  30. Recently disclosed 0-day vulnerabilities in third-party products
  31. Reports without proof of exploitation
  32. Known issues

How to Report

All vulnerabilities must be reported to security@peoplebox.ai with the following details:

Details:
Full Name:
Mobile Number:
LinkedIn Profile:


Bug Details:
Name of the Vulnerability:
Description of Vulnerability:


Proof of concept:
Detailed steps to reproduce:

Complying with this Policy: As long as you follow the instructions laid out in this policy, Peoplebox will commit to the following:

We will not pursue civil or criminal legal action against you or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the party concerned. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.
We will work with you to understand the vulnerability and fix it
We will keep you informed of the timeline to fix the vulnerability, post verifying its authenticity
Public disclosure
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH THEY SHALL BE LIABLE FOR LEGAL PENALTIES.

Share this blog

Responsible Disclosure
[Sassy_Social_Share]