Disclosure Policy

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and Binalyze will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Reporting

If you believe you have found a security issue/vulnerability in one of our services, systems, or applications;

• If you are our customer, please contact support@binalyze.com,

• If you are an independent researcher/analyst; primarily, please join our bug bounty program at bugbounter.com or inform us through security@binalyze.com along with your contact details and include the following information in your report:

  
  

  • A description of the issue and where it is located along with screenshots.

  • A description of the steps required to reproduce the issue.

  • Examples of vulnerabilities include, inter alia:

  • Authentication flaws

  • Circumventing of the platform and/or privacy permissions

  • Privilege escalations

  • Cross-site scripting (XSS)

  • Cross-site request forgery (CSRF)

  • Server-Side request forgery (XSRF)

  • Injection Attacks (SQL, XML, JSON, etc.)

  • Business logic by-pass

  • Arbitrary redirect

  • Server-side code execution (RCE)

Rules for Finding Security Vulnerabilities

• Take responsibility and act with extreme care and caution.

• While investigating the matter, only use methods or techniques that are compliant with the law and necessary practices in order to find or demonstrate the weaknesses, without limiting the generality of the foregoing.

• In any event, please refrain from the following:

  • Do not use weaknesses/vulnerabilities you discover for purposes other than your own investigation.

  • Do not use social engineering techniques to gain access to a system.

  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.

  • Do not alter or delete any information in the system or application. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.

  • Do not alter the system in any way.

  • Do not share access or details of any vulnerable system with others.

  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Also Refrain From

• Accessing, Downloading, or Modifying data residing in an account that does not belong to you or attempt to do any of the foregoing,

• Executing or attempting to execute any “Denial of Service” attack,

• Posting, transmitting, uploading, linking, sending, or storing any malicious software,

• Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages,

• Testing in a manner that would degrade the operation of any Binalyze properties; or testing third-party applications, websites, or services that integrate with or link to Binalyze properties,

• Investigating/exploiting issues with outdated or unpatched browsers,

• Investigating/exploiting the lack of the Secure Flags on non-sensitive cookies,

• Investigating/exploiting the lack of the HTTP Only flags on non-sensitive cookies,

• Security vulnerabilities in third-party websites and applications that integrate with issues,

• Vulnerabilities requiring a potential victim to install nonstandard software or otherwise take steps to become susceptible to attack,

• Social engineering of vulnerabilities requiring very unlikely user interactions,

• Investigating/exploiting findings primarily from social engineering (e.g., phishing, vishing),

• Investigating/exploiting findings from physical testing such as office access (e.g., open doors, tailgating),

• UI/UX bugs and spelling mistakes,

• Spamming,

• Disclosure of known public files or directories (e.g. robots.txt),

• Click-jacking and investigating/exploiting issues only exploitable through click-jacking,

• CSRF on forms that are available to anonymous users (e.g. the contact form),

• Logout Cross-Site Request Forgery (logout CSRF),

• Investigating/exploiting the presence of application or web browser ‘autocomplete’ or ‘save password’ functionality,

• SSL Attacks such as BEAST, BREACH, Renegotiation attack,

• Investigating/exploiting SSL Forward secrecy not enabled,

• Investigating/exploiting SSL Insecure cipher suites,

• Investigating/exploiting the Anti-MIME-Sniffing header X-Content-Type-Options,

• Investigating/exploiting the missing HTTP security headers.

Points to Keep in Mind

• Do not put any customer or Binalyze data at risk, or degrade any of our system’s performance.

• If your actions are intrusive or an attack on our system, we may act against the same including activities such as reporting them to law enforcement bodies/agencies.

• Binalyze reserves its right to initiate legal action against any person and/or report to relevant authorities of such a person who conducts any tests or investigations which are prohibitive or not in compliance with law or not as per this Policy.

• Do not publicly announce the vulnerability but get in touch with us and give us the time to examine the issue. The safety of our customers’ information and assets is our top priority. Therefore, we encourage anyone who has discovered a vulnerability in our systems to act instantly and help us improve and strengthen the safety of our sites and systems.

Our Recognition

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Binalyze shall:

• Acknowledge receipt of your vulnerability report,

• Work with you to understand and validate the issue,

• Address the risk as deemed appropriate by the Binalyze team,

• Work together to prevent cyber-crime.

Binalyze will review the submission to determine if the finding is valid and has not been previously reported. Publicly disclosing the submission details of any identified or alleged vulnerability without expressed written consent from Binalyze will deem the submission as non-compliant with this Responsible Disclosure Policy.