Responsible Disclosure
Peoplebox will engage with external security researchers when vulnerabilities are reported according to the rules set about in the responsible disclosure policy.
Rules
Any vulnerabilities submitted through this policy must adhere to the following rules:
- Submissions must adhere to the scope mentioned in this policy.
- Any information about the vulnerability must remain confidential between Peoplebox and yourself indefinitely.
- The vulnerability cannot be disclosed in any medium or form.
- The vulnerability cannot be disclosed in any medium or form.
- Do not perform an attack that would compromise the integrity of Peoplebox’s services.
- DDOS for example is NOT allowed.
- You waive claims of any nature arising out of a disclosure accepted by Peoplebox.
Requests for Compensation
We do not provide monetary compensation for any vulnerability reported. Requesting compensation will make you non compliant with this policy. Peoplebox may however choose to send swag at its own discretion.
Scope
In Scope:
The following targets are considered in scope:
- Peoplebox website located at https://peoplebox.ai and https://peoplebox.com
- Peoplebox’s web application located at https://{subdomain}.peoplebox.ai and https://{{subdomain}}.peoplebox.com
Out of scope:
- Social engineering
- DDOS
- Automation scripts and tools
- Any spelling mistakes
- Any UI/UX bugs
- Issues that do not affect the latest version of modern browsers
- General best practice concerns
- Same issue under multiple subdomains
- Self XSS
- Open Redirect without proven security impact
- Brute Force attacks
- Man-in-the-Middle attack
- Clickjacking without proven security impact
- Disclosed Google API keys
- Verbose messages/errors without disclosing any sensitive information
- CORS misconfiguration on non-sensitive endpoints
- Missing cookie flags
- Missing security headers
- Tab-nabbing
- Host Header Injection
- Cross-domain referrer leakage
- Email spoofing, SPF, DMARC or DKIM
- Email bombing
- Version disclosure
- Issues that require unlikely user interaction
- Broken link hijacking (e.g. social media links)
- Weak SSL/TLS configurations reports
- Disclosing API keys without any security impact
- Physical attacks – Attacks that require physical access to a victim’s device
- Recently disclosed 0-day vulnerabilities in third-party products
- Reports without proof of exploitation
- Known issues
How to Report
All vulnerabilities must be reported to security@peoplebox.ai with the following details:
Details:
Full Name:
Mobile Number:
LinkedIn Profile:
Bug Details:
Name of the Vulnerability:
Description of Vulnerability:
Proof of concept:
Detailed steps to reproduce:
Complying with this Policy: As long as you follow the instructions laid out in this policy, Peoplebox will commit to the following:
We will not pursue civil or criminal legal action against you or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the party concerned. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.
We will work with you to understand the vulnerability and fix it
We will keep you informed of the timeline to fix the vulnerability, post verifying its authenticity
Public disclosure
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH THEY SHALL BE LIABLE FOR LEGAL PENALTIES.