In order to make the Internet a safer place for everyone, we recognize the important role that security researchers play in helping to keep Ontop and our users secure. Therefore, we invite finders, hackers, security researchers, and reviewers, among others to help protect Ontop and our users by proactively identifying and reporting security vulnerabilities.If you are aware of a vulnerability that could affect Ontop’s services or products, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.By submitting reports or otherwise participating in this feature, you agree that you have read and will abide by the Vulnerability Reporting Policy.
• Do not share information about the vulnerability with others until it has been resolved.
• Exercise caution and restraint with respect to personal data and do not intentionally engage in attacks against third parties, social engineering, phishing, spamming or causing annoyance to other users.
• Do not perform actions that may negatively affect Ontop or our users, such as: executing or attempting to execute any denial-of-service attack, posting, transmitting, uploading, linking to, sending, or storing any malicious software and/or file, testing third-party applications, websites or services that integrate with or link to Ontop applications.
• Do not test the security of Ontop’s employees' equipment.
• Do not abuse the vulnerability by causing disruption with your actions.
• You may only test against your own Ontop accounts.
• Do not interact with an enterprise and/or personal Ontop account that you don’t own (such as by modifying or accessing data from the account).
• Do not violate any law or disrupt or attempt to access data that does not belong to you.
• Do not exploit a security issue you discover for any reason (this includes demonstrating additional risk, such as attempted compromise of sensitive data or probing for additional issues).
Responsible Submission Guidelines
• Provide proof of concept or sufficient information to allow the vulnerability to be reproduced so that it can be verified, reproduced, and possible solutions identified.
• Identification of the vulnerable target, a description of the vulnerability, and the operations carried out to exploit it are usually sufficient, but more details and information may be required for complex vulnerabilities.
• Provide the above details, including the Ontop account username, IP address, and the date/timestamp of the vulnerability to support validation and reproduction of the issue.
• Submit one vulnerability per report unless you need to chain vulnerabilities together to provide impact.
• Submit the reports in the English language.
• By reporting a security bug or vulnerability, you give us the right to use your report for any purpose.
• Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorization, unless required in order to do so to comply with legal obligations.
• The receipt of a submission does not imply any guarantee or commitment on the part of Ontop to pay any monetary amount to the Finder.
• If applicable, Ontop will determine the conditions and requirements and inform the Finder.
• Resolve all submitted reports as quickly as possible.Ontop does not operate a hall of fame program.
Public Acknowledgement Policy
Ontop does not maintain a public-facing list of externally reported issues and reporters.
Non-qualifying Vulnerability Submissions
When reporting vulnerabilities, please consider the attack scenario (exploitability), and the security impact of the bug. The following are some examples of issues that are out of the scope of this program:
• Social engineering (e.g. phishing, vishing, smishing) of Ontop staff or contractors is prohibited.Scanner output or scanner-generated reports.
• Advisory, Informational, or based on Best Practices reports without a valid exploit (e.g., use of "weak" TLS ciphers).Missing best practices in Content Security Policy.
• Missing best practices in SSL/TLS configuration.
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Server misconfigurations without a proof of concept of how they can lead to a real vulnerability.
• Vulnerabilities in 3rd-party software such as frameworks, plugins, or libraries (e.g. WordPress, Jira, Discourse, Okta, etc.).
• Clickjacking on pages with no sensitive actions.
• HTTP headers hardening and recommendations (Clickjacking, X-Frame-Options, CORS, etc.).
• Subdomain takeovers will be marked as informative as they are already being tracked internally with tools to prevent this from happening and clear out the dangling DNS entries.
• Any type of Denial of service (DOS) attacks.
• Any physical attempts against Ontop property.
• Rate limiting testing or brute force attacks against any asset.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Issues that we are already aware of or have been previously reported.Disclosure of server or software version numbers.
• Hypothetical subdomain takeovers without supporting evidence.Issues that are premised on unlikely user interaction.
• Missing HttpOnly or Secure flags on cookies.
• Open redirect unless an additional security impact can be demonstrated.
• Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.).
• Previously known vulnerable libraries without a working Proof-of-Concept.
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Rate limiting or brute force issues on non-authentication endpoints.Reports of spam.
• Self-XSS.Session invalidation or other improved security related to account management when a credential is already known (e.g., password reset link does not immediately expire, etc.).
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Unconfirmed reports from automated vulnerability scanners.
• User/merchant enumeration.Vulnerabilities that only affect users of outdated or unpatched browsers (less than 1 stable version behind the latest released stable version).
• Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass.
Submit Vulnerability Report
Please help us by providing as much information as possible about the issue you have discovered. If you have not yet done so, please review our previously announced rules and guidelines before submitting the information.