-
Notifications
You must be signed in to change notification settings - Fork 1
/
responsible-disclosure.html
executable file
·234 lines (229 loc) · 13.4 KB
/
responsible-disclosure.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="XposedOrNot: Responsible Disclosure">
<meta name="author" content="Devanand Premkumar">
<meta property="og:title" content="Responsible Disclosure" />
<meta property="og:description"
content="XposedOrNot's guidelines for responsible disclosure of security vulnerabilities." />
<meta property="og:image" content="https://xposedornot.com/static/images/xon.png" />
<meta property="og:url" content="https://xposedornot.com/responsible-disclosure" />
<meta property="og:type" content="website" />
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@XposedOrNot">
<meta name="twitter:title" content="Responsible Disclosure">
<meta name="twitter:description"
content="XposedOrNot's guidelines for responsible disclosure of security vulnerabilities.">
<meta name="twitter:image" content="https://xposedornot.com/static/images/xon.png">
<link rel="icon" href="favicon.ico" type="image/x-icon" />
<title>Responsible Disclosure </title>
<link rel=stylesheet
href='https://fonts.googleapis.com/css?family=Poppins%3A300%2C400%2C500%2C600%2C700%2C900&subset'
type=text/css media=all defer async>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/4.6.2/css/bootstrap.min.css"
integrity="sha512-rt/SrQ4UNIaGfDyEXZtNcyWvQeOq0QLygHluFQcSjaGB04IxWhal71tKuzP6K8eYXYB6vJV4pHkXcmFGGQ1/0w=="
crossorigin="anonymous" referrerpolicy="no-referrer" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.8.2/css/all.min.css"
integrity="sha256-BtbhCIbtfeVWGsqxk1vOHEYXS6qcvQvLMZqjtpWUEx8=" crossorigin="anonymous" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js"
integrity="sha512-aVKKRRi/Q/YV+4mjoKBsE4x3H+BkegoM/em46NNlCqNTmUYADjBbeNefNxYV7giUp0VxICtqdrbqU7iVaeZNXA=="
crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/4.6.2/js/bootstrap.min.js"
integrity="sha512-7rusk8kGPFynZWu26OKbTeI+QPoYchtxsmPeBqkHIEXJxeun4yJ4ISYe7C6sz9wdxeE1Gk3VxsIWgCZTc+vX3g=="
crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<link href="/static/css/style.css" type="text/css" rel="stylesheet">
<script src="/static/scripts/other-libraries.js" defer></script>
</head>
<body>
<div class="kbanner">
<nav class="navbar navbar-expand-lg navbar-dark bg-primary kbanner">
<a class="navbar-brand" href="https://xposedornot.com">XposedOrNot</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNavDropdown"
aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNavDropdown">
<ul class="navbar-nav navbar-right">
<li class="nav-item active">
<a class="nav-link" href="password.html">Password <span class="sr-only">(current)</span>
</a>
</li>
<li class="nav-item active">
<a class="nav-link" href="faq.html">FAQ </a>
</li>
<li class="nav-item active">
<a class="nav-link" href="https://blog.xposedornot.com/">Blog </a>
</li>
<li class="nav-item dropdown active">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdownMenuLink" data-toggle="dropdown"
aria-haspopup="true" aria-expanded="false"> More Tools </a>
<div class="dropdown-menu" aria-labelledby="navbarDropdownMenuLink">
<a class="dropdown-item" href="xposed.html">Xposed Breaches</a>
<a class="dropdown-item" href="shield.html">Privacy Shield</a>
<a class="dropdown-item" href="domain.html">Domain Verification</a>
<a class="dropdown-item" href="domains.html">Domain-level Search</a>
</div>
</li>
</ul>
</div>
</nav>
</div>
<div class="container">
<div class="panel-group" id="accordion">
<div class="panel panel-default">
<div class="panel-heading">
<h4 class="panel-title">
<a data-toggle="collapse" data-parent="#accordion" href="#collapse1">
<h1>
<strong>Responsible Disclosure of Bugs & Vulnerabilities</strong>
</h1>
</a>
</h4>
</div>
<div id="collapse1" class="panel-collapse ">
<div class="panel-body">
<strong>Last Updated: 08-Mar-2021</strong>
<br>
<br>Hey there, bug hunters! We're so glad you're here to help us keep XposedOrNot (XON) safe and
secure. I've set up this Responsible Disclosure Policy to make sure that everyone plays nice and helps
us keep our services, website, and network safe from any pesky bugs or vulnerabilities. <br><br>
If you find something that needs my attention, I appreciate your cooperation in responsibly
investigating and reporting it so that I can fix it up faster than a speeding bullet. Your help in
disclosing security vulnerabilities helps us keep all of our users safe and sound. <br><br>
<h2>
<strong>Guidelines for Reporting:</strong>
</h2>
<br> When you're reporting a bug or vulnerability, please make sure to include the following:
<ol>
<li> A clear description of the bug or vulnerability, with some evidence like screen captures or
output data. Don't be shy, we love to see what you've found!</li>
<li> A description of the potential impact of the vulnerability, just so we know what we're dealing
with.</li>
<li> Your preferred name or handle so we can give you the recognition you deserve in our XON
Security Researcher Hall of Fame. </li>
<li> Exact steps to reproduce the issue so that we can replicate it on our end.</li>
<li> A video proof of concept is always appreciated if you have one.</li>
<li> Any relevant information about platforms, operating systems, versions, IP addresses, or URLs.
</li>
<li> Supporting evidence like logging or tracing data is always helpful.</li>
<li> Your assessment of how exploitable the issue might be. We won't judge you if it's a 10 out of
10 on the exploitability scale.</li>
</ol>
Thanks for being an awesome bug hunter 🙌 and helping us keep XposedOrNot (XON) safe and sound!
<br><br>
<h2>
<strong>Valid Submissions </strong>
</h2>
<br>
<ol>
<li> Local or Remote File Inclusion </li>
<li> Authentication Bypass </li>
<li> Directory Traversal </li>
<li> Unauthorized/un-intended data leakage </li>
<li> Remote code execution (RCE) </li>
<li> SQL/XXE Injection and command injection</li>
<li> Cross-Site Scripting (XSS)</li>
<li> Server side request forgery (SSRF)</li>
<li> Misconfiguration issues on servers or API</li>
<li> Authentication and Authorization related issues</li>
<li> Cross site request forgeries (CSRF)</li>
</ol>
<br>
<h2>
<strong> In Scope Domains</strong>
</h2>
<br>
<ol>
<li>https://xposedornot.com</li>
<li>https://api.xposedornot.com</li>
<li>https://passwords.xposedornot.com</li>
</ol>
<br>
<h2>
<strong> Uses of information</strong>
</h2>
<br>
We promise to keep all information about you and our services confidential. So please, don't spill the
beans to anyone outside of our team!<br>
<br>
We're all about making the internet a safer place, and we appreciate security researchers who help us
achieve that. So, a big thanks 🙏 to you for being a part of that effort! By responsibly disclosing
any bugs or vulnerabilities you find, you're helping us protect our users and their data.<br>
<br>
<h2>
<strong> Acceptable Use Policy </strong>
</h2>
<br>
Just a heads up - this isn't your typical bug bounty program where we offer cash rewards for
vulnerability submissions. We're not made of money (yet). However, if you do report something
important to us, we might just show you some love and appreciation in return!<br>
<br>
Just make sure to keep it ethical, okay? We expect you to act like a good citizen of the internet and
follow the rules we've laid out in our Acceptable Use Policy. But if you do that, we'll happily give
you some recognition on our Hall of Fame page - which is kind of like our version of the Hollywood
Walk of Fame, but for security researchers. So go ahead, show off your skills and help us make
XposedOrNot a safer place for everyone!<br>
<br>
<h2>
<strong> Bug Reporters - Expectations </strong>
</h2>
<br>
Bug hunters, we're excited to have you on board in helping us make XposedOrNot a safer place for
everyone! Before you get started, here are a few things we expect from you: <br><br>
<ol>
<li> Please don't do anything that would hurt or disrupt XposedOrNot or our users.</li>
<li> We'll send you an acknowledgment within 1-3 days of receiving your report.</li>
<li> Respect the privacy of our users and don't try to snoop around their accounts.</li>
<li> Only test on your own accounts and email addresses.</li>
<li> If you find a critical vulnerability that gives you access to our webserver or API, please
stop there and let us take over.</li>
<li> Don't share any details about the issue until we've resolved it.</li>
<li> If you try to exploit the vulnerability for personal gain, we'll have to disqualify your
report.</li>
</ol>
<br>
We appreciate your cooperation in helping us keep our platform secure. Let's work together to make
XposedOrNot the best it can be!
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h4 class="panel-title">
<a data-toggle="collapse in panel-collapse" data-parent="#accordion" href="#collapse25">
<strong>Reporting Guidelines</strong>
</a>
</h4>
</div>
<div class="panel-body"> Thank you for looking out for us! If you've discovered a bug or security
vulnerability in XposedOrNot, we'd love to hear about it. You can report it via email at <strong>deva @
xposedornot.com</strong> or tweet at us </strong>@DevaOnBreaches</strong>. <br>
<br> Email : deva @ xposedornot.com <br> Twitter : <a
href="https://twitter.com/devaonbreaches">DevaOnBreaches </a>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="container text-center">
<footer>
<aside>
<p>Join us in shaping this fully open source site! Contributions welcome ❤️ —check out our <a
href="https://github.com/XposedOrNot" target="_blank" rel="noopener">GitHub </a>. </p>
</aside>
<div class="custom-control custom-switch" style="Text-align:right;Width:30%;float:right">
<input type="checkbox" class="custom-control-input" id="darkSwitch">
<label class="custom-control-label" for="darkSwitch">Dark Mode</label>
</div>
</footer>
</div>
<script defer async src="https://www.googletagmanager.com/gtag/js?id=UA-108891851-1"></script>
<script src="/static/scripts/common.js"></script>
</body>
</html>