Guidelines for reporting a security vulnerability

Introduction

fullcast.io runs a bug bounty program to reward researchers for their findings. If you believe you have discovered a vulnerability in the fullcast.io service, system or web-facing property, please submit a vulnerability report via customersupport@fullcast.io. Please do not publicly disclose these details without contacting Fullcast first, and without expressed prior written agreement from Fullcast.

Fullcast.io Disclosure Policy

As a security conscious company, keeping our customers safe is Fullcast’s primary concern. Fullcast uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market. At fullcast we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.

Fullcast supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

Fullcast advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.

Responsible Disclosure Program Guidelines

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

Do not engage in any activity that can potentially or actually cause harm to fullcast, our customers, or our employees.

Do not engage in any activity that can potentially or actually stop or degrade fullcast services or assets.

Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or
(iii) the researcher is conducting research activity.

Do not store, share, compromise or destroy fullcast or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Fullcast. This step protects any potentially vulnerable data, and you.

Provide fullcast reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

By responsibly submitting your findings to fullcast in accordance with these guidelines Fullcast agrees not to pursue legal action against you. fullcast reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, fullcast commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Out of Scope Environments

The following environments are out of scope:

https://www.fullcast.io

https://support.fullcast.io

Submission Format

When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).

What is a “qualifying vulnerability”?

Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must not be in one of the services named in the “out of scope” section above. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure guidelines set out in this Policy, which include giving us a reasonable amount of time to address the vulnerability. We will confirm the reasonable amount of time with you following the disclosure of the vulnerability.

What is not a “qualifying vulnerability”?

Although each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities:

UI and UX bugs and spelling mistakes;
TLS/SSL related issues;
SPF, DMARC, DKIM configurations;
Vulnerabilities due to out of date browsers or plugins;
Content-Security Policies (CSP);
Vulnerabilities in end of life products;
Lack of secure flag on cookies;
Username enumeration;
Vulnerabilities relying on the existence of plugins such as Flash;
Flaws affecting the users of out-of-date browsers and plugins;
Security headers missing such as, but not limited to “content-type-options”, “X-XSS-Protection”;
CAPTCHAs missing as a Security protection mechanism;
Issues that involve a malicious installed application on the device;
Vulnerabilities requiring a jailbroken device;
Vulnerabilities requiring a physical access to mobile devices;
Use of a known-vulnerable library without proof of exploitability; and/or
Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
CSRF on forms that are available to anonymous users
Disclosure of known public files or directories (e.g. robots.txt)
Domain Name System Security Extensions (DNSSEC) configuration suggestions
Banner disclosure on common/public services
HTTP/HTTPS/SSL/TLS security header configuration suggestions
Lack of Secure/HTTPOnly flags on non-sensitive cookies
Logout Cross-Site Request Forgery (logout CSRF)
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Sender Policy Framework (SPF) configuration suggestions
Physical Testing
Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
Phishing
Denial of service attacks
Resource Exhaustion Attacks

Accountability

The fullcast senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of fullcast have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training. Fullcast’s Chief Technology Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.