Bug reward disclosure program

The software security research community makes the web a better, safer place. We support their bug-hunting efforts with a bounty program.

To report a vulnerability, please email us at[email protected]

Qualifying Vulnerabilities

The following addresses are currently within the scope of the program:

  • www.esb-agile.com
  • www.ecohabitation.com

NB. Any other subdomain thanwww.are not eligible.

To be eligible, a bug hunter must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

  • Cross-site scripting exploits
  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Official Ecohome Network mobile apps or API flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations
  • Recommendation and ranking systems

The following vulnerabilities do not qualify for the bounty program:

NB. Even though some of these issues might be highly relevant in other contexts, in the context of The Ecohome Network, we had determined that they don’t pose as great of a risk. If you think we’re mistaken, please reach out.

  1. Self-XSS.
  2. 登录/注销CSRF。
  3. CSRF配置问题,没有可利用的概念证明。需要Burp或网络代理的CSRF概念证明案例是无效的或不充分的。
  4. Missing security headers which do not lead directly to a vulnerability.
  5. Vulnerabilities in third party components in use at The Ecohome Network, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact The Ecohome Network’s configuration.
  6. 需要不太可能的用户交互或网络钓鱼的bug。这包括通常被称为点击劫持或UI纠正攻击的问题。
  7. Newly acquired companies are subject to a blackout period to allow us to review and get everything up to speed. Acquisitions coming out of the blackout period will be added to the scoping list once they are in-scope. Bugs reported sooner than that will typically not qualify for a reward.
  8. Rate Limit on emails sent during sign-up, sign-in, and change email confirmations.
  9. Rate Limit for formulas on data entry or submissions for inclusion on sites.
  10. Previous email login links not invalidated in the event multiple login links are requested. All links expire in 60-120 minutes.
  11. 当从web退出所有其他会话时,没有退出Android原生应用程序。我们为用户提供只读体验,并阻止发布、推荐、回复、突出显示以及访问草稿、书签、历史和设置。
  12. Using an email spoofing tool to send an email spoofed as sent from a Ecohome Network domain sends an email but is marked as Spam, as opposed to the email not being sent at all.
  13. Logging-in to The Ecohome Network in several browsers/tabs, or logging-in and logging-out repeatedly, thereby creating many user sessions.
  14. 通过清除cookie、私人浏览或创建新的用户会话来击败付费墙。
  15. Using URLs with look-alike Unicode symbols in them also known as homograph attacks.

Rules for Visitors

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Only test for vulnerabilities on sites or apps operated by The Ecohome Network. Some sites hosted on subdomains of The Ecohome Network may be operated by third parties and should not be tested.
  • Do not impact other users with testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend any Ecohome Network account and ban IP addresses if you do so.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Ecohome Network account and ban your IP address.
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
  • When in doubt, email[email protected]

Rules for Us

  • We will respond as quickly as possible to bug submissions.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules and act in good faith.

Rewards

Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer the following minimum rewards:

  • Remote code execution: $150
  • Unrestricted access to file systems or databases: $100
  • Bugs leaking or bypassing significant security controls: $100
  • Bugs allowing artificial manipulation of ranking and recommendation systems: $50
  • Execute code on the client, including XSS: $10
  • Open redirect: $25
  • Other valid security vulnerabilities: schwag and recognition on humans.txt.
  • Vulnerabilities to auxiliary services or 3rd party dependencies: schwag and recognition.

Legal things & final notes

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States or Canadian restricted export control list or are on a Canadian or United States state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these programs’ terms do not apply retroactively. Thanks for helping us make The Ecohome Network more secure.