Responsible Disclosure Policy
At Boman.ai, the security of our users is top priority. If you believe that you have discovered a potential vulnerability, please report it to firstname.lastname@example.org
It’s our kind request you to help in securing our product by revealing your findings in accordance with this policy.
Reporting security issues
E-mail your findings to email@example.com. Please submit your findings in the following format:
- Description of the issue
- Affected endpoint/URL
- Proof of concept including step by step approach, screenshots/video
- Recommended Solution
What we commit
- Your report will be handled with strict confidentiality and your personal details will not be passed to third parties without your permission
- Your report will be responded to within 3 business days with due evaluation.
- As a token of gratitude for your assistance, you will receive a letter of appreciation from us.
- You must be the first researcher to responsibly disclose the bug. Any duplicates will not be considered.
- Must strictly adhere to the Responsible disclosure policy.
What we request
- Kindly avoid public disclosure of any security issues unless it is approved by our Security Team.
- Once you responsibly disclose a vulnerability, please be patient and give a reasonable time to fix it and update you.
- Please provide sufficient information to reproduce the vulnerability.
- Please stick to the target mentioned in the scope and refrain from testing any other targets.
- Please use custom header X-Security-Test: in all the test requests to identify your requests, any requests not following this protocol will be considered malicious requests. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Kindly share what header you set so we can identify it easily.
- Please avoid using any scanner or automated tools. Kindly perform manual testing and refrain from sending several requests in a short time frame to our targets.
- Upon discovery of any security vulnerability which may lead to exposing any sensitive data or access to any resource please refrain from changing any data or configuration.
- Please avoid exploiting the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Please avoid attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.
Out of Scope:
- Other subdomains of boman.ai
In scope vulnerabilities:
- Remote Code Execution
- Authentication Bypass
- Privilege Escalation
- Privacy/Sensitive Information Disclosure
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- Injection Issues (SQLi, XML, LDAP, etc.)
- Session Related Issues (Session fixation, session hijack etc.)
- Open Redirects with significant security impact
- Cross Origin Resource Sharing with significant security impact
- Remote / Local File Inclusion
- Malicious use of functionality
- API Abuse
- Infrastructure related issues (server issues etc.)
- Other high impact issues
Out of scope vulnerabilities:
- Issues which have little, or no impact do not qualify on our program.
- Vulnerabilities in 3rd party applications / libraries / APIs
- Clickjacking / Tapjacking
- DOS/DDOS Attacks
- Self XSS
- Version Disclosure
- Error messages with no sensitive data
- Third party API key disclosures without any impact or which are supposed to be open/public.
- Missing HTTP Security Headers (e.g., HSTS)
- Known public files or directories disclosure (e.g., robots.txt, css/images etc)
- Brute force Attacks / Account lockouts / Rate limit bypasses without high impact
- Login – Logout cross-site request forgery
- CSV / HTML / Text Injection
- Social engineering (Phishing) / Spamming (e.g., SMS/Email Bombing)
- Certificate related issues (e.g., Weak Ciphers, etc.)
- DNS issues (e.g., DMARC, DKIM, SPF records etc.)
- Vulnerabilities that require physical device access (e.g., USB debugging), root/jailbroken access or third-party app installation to exploit the vulnerability
- Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability