ramanathanrv/bug_report_policy

## bug_report_policy
Focus areas

Cross site request forgery on critical actions (control panel is out of scope)
Cross site scripting (XSS)
Remote code execution / shell injection
Authentication bypass
SQL injection

P1/P2 Issues:
Remote code execution
SQL injection in critical areas leading to sensitive data disclosure
Authentication bypass in critical areas
CSRF of critical functions (leading to sensitive data disclosure or update)

P3:
Authentication bypass in important functions
Session Fixation With POC (of Account Takeover)

P4/P5:
XSS
Sensitive data in URL
Exposed session token in URL
Error pages with stacktrace

The following finding types are specifically excluded from the bounty

Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt
Use of known-vulnerable libraries without proof of exploitation such OpenSSL
Vulnerabilities affecting end of life browsers or platforms
Lack of secure/HTTP-only flags on non-sensitive cookies
Login or forgotten password page brute forcing and account lockout not being enforced
Application denial of service by locking user accounts
Password or account recovery policies, such as reset link expiration or password complexity
Reports from automated scripts or scanners
Network level denial of service (DoS/DDoS) vulnerabilities
Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)
Functional, UI and UX bugs and spelling mistakes
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Logged out cross-site request forgery (logout CSRF)
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Options / trace HTTP method being enabled
Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks
Fingerprinting / banner disclosure on common/public services
Clickjacking and issues only exploitable through clickjacking
No / weak captcha / captcha bypass
HTTPS mixed content scripts
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/ListofusefulHTTPheaders), e.g.
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
SSL issues, e.g.
SSL attacks such as BEAST, BREACH, renegotiation attack
SSL forward secrecy not enabled
SSL weak / insecure cipher suites
	Focus areas

	Cross site request forgery on critical actions (control panel is out of scope)
	Cross site scripting (XSS)
	Remote code execution / shell injection
	Authentication bypass
	SQL injection

	P1/P2 Issues:
	Remote code execution
	SQL injection in critical areas leading to sensitive data disclosure
	Authentication bypass in critical areas
	CSRF of critical functions (leading to sensitive data disclosure or update)

	P3:
	Authentication bypass in important functions
	Session Fixation With POC (of Account Takeover)

	P4/P5:
	XSS
	Sensitive data in URL
	Exposed session token in URL
	Error pages with stacktrace

	The following finding types are specifically excluded from the bounty

	Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt
	Use of known-vulnerable libraries without proof of exploitation such OpenSSL
	Vulnerabilities affecting end of life browsers or platforms
	Lack of secure/HTTP-only flags on non-sensitive cookies
	Login or forgotten password page brute forcing and account lockout not being enforced
	Application denial of service by locking user accounts
	Password or account recovery policies, such as reset link expiration or password complexity
	Reports from automated scripts or scanners
	Network level denial of service (DoS/DDoS) vulnerabilities
	Findings from physical testing such as office access (e.g. open doors, tailgating)
	Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)
	Functional, UI and UX bugs and spelling mistakes
	HTTP 404 codes/pages or other HTTP non-200 codes/pages
	Logged out cross-site request forgery (logout CSRF)
	Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
	Options / trace HTTP method being enabled
	Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks
	Fingerprinting / banner disclosure on common/public services
	Clickjacking and issues only exploitable through clickjacking
	No / weak captcha / captcha bypass
	HTTPS mixed content scripts
	Missing HTTP security headers, specifically (https://www.owasp.org/index.php/ListofusefulHTTPheaders), e.g.
	Strict-Transport-Security
	X-Frame-Options
	X-XSS-Protection
	X-Content-Type-Options
	Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
	Content-Security-Policy-Report-Only
	SSL issues, e.g.
	SSL attacks such as BEAST, BREACH, renegotiation attack
	SSL forward secrecy not enabled
	SSL weak / insecure cipher suites