Vulnerability Reporting Program

Applications in Scope

We are interested in critical vulnerabilities in our infrastructure. In a nutshell, we are interested in real vulnerabilities, not in the output of automated scanners.

Any issues that substantially affect the confidentiality, integrity or availability of user data, may be considered for a reward after we review them on a case-by-case basis.

However, not all findings and vulnerabilities found will not necessarily qualify for a reward and it is up to the discretion of the security team to determine whether a reported vulnerability is rewarded.

To ensure that our services are available for all users, please do not attempt any DoS attacks, utilize black hat SEO techniques, spam others, or otherwise compromise their availability with similarly questionable things. Similarly, we discourage the use of tools that automatically generate a lot of traffic while testing vulnerabilities.

Eligibility and Responsible Disclosure

To increase user safety, we ask that you:

  • Share the security detail with us;
  • Do not spam our existing applications through automated vulnerability scanners;
  • Before making any information public about the issue, give us sufficient time to respond;
  • It isn't permissible to modify our data or the data of our users, without the explicit permission of the owner. Unless given permission, don't interact with other people's accounts;
  • Immediately remove any local information after reporting this vulnerability to Anafore. Do not view, alter, save, store, transfer, or otherwise access any user data;
  • We must take reasonable steps to avoid violating privacy rights, destroying data, or interrupting and degrading our services (including denial-of-service attacks);

It is not a competition, but a discretionary and experimental rewards  program. We can terminate the program at any time, and reward payments are at our sole discretion. The testing you conduct must not violate the law, or disrupt data that doesn't belong to you.

Out-of-scope vulnerabilities

  • Policies related to passwords, email and accounts, such as password complexity and email id verification.
  • A report produced by an automated tool or scan.
  • Indications that spam has been transmitted (any indication that emails have been sent at excessive rates).
  • Those who are using outdated browsers or platforms are vulnerable to security risks.

How to report vulnerabilities to us

When contacting us, please indicate the exact domain on which you found the vulnerability. Furthermore, we ask you to provide us with as many details as possible to reproduce the vulnerability in order to facilitate our analysis and thus speed up the payment of the reward.

Please communicate with us via email to "[email protected]"

<p class="text-21-rich-text-13px">Effective as of October18, 2023</p>