Vulnerability Disclosure Policy
This vulnerability disclosure policy (VDP) applies to any vulnerabilities you consider reporting to Hiveon. Please read this VDP fully before you report a vulnerability, and always act in compliance with it.
We value those who take the time and effort to report security vulnerabilities according to this policy. Thank you in advance for your submission and discretion. We appreciate researchers assisting us in our security efforts.
Your testing must not violate any law or disrupt or compromise any data that is not your own. If you find a potential vulnerability that allows access to restricted data or resources, you should notify us immediately — do not continue to investigate the vulnerability yourself.
This policy applies to the following domains: hiveon.com, the.hiveos.farm, hiveon.net.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively impact Hiveon or its users (e.g., spam, brute force, Denial of Service, etc.) or other tests that impair access to or damage a system or data
- Accessing or attempting to access any data or information that does not belong to you
- Destroying, corrupting, or attempting to destroy or corrupt any data or information that does not belong to you
- Using high-intensity invasive or destructive scanning tools to find vulnerabilities
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
- Social engineering of any Hiveon team employees, contractors, or users.
- Violating any laws or breaching any agreements in order to discover vulnerabilities
The following findings are specifically non-rewardable within this program:
- Disclosure of known public files or directories (e.g., robots.txt)
- Clickjacking and certain issues only exploitable through clickjacking
- Logout Cross-Site Request Forgery (logout CSRF)
- Lack of Secure and HTTPOnly cookie flags
- Misconfigured or lack of SPF/DKIM records
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Missing HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only
- Out-of-date software versions
- Issues that affect users of out-of-date browsers and browser extensions
- Vulnerabilities in third-party components
- Bugs that require exceedingly unlikely user interaction
- Content spoofing and text injections issues without a real attack vector and/or without being able to modify HTML
- Subdomain takeover without a proof of concept
- Domain squatting or any other domain speculations
- Vulnerabilities that require physical access to a user’s device
- Vulnerability reports that are generated by scanners or any automated or active exploit tools
Reporting a vulnerability
If you believe you’ve identified a potential security vulnerability on our platform, please send your reports directly to the Hiveon Security Team ([email protected]). This will ensure your report reaches us directly, and we can respond sooner. Please do not send it to the general email or via the support chat.
Please do not file a public issue or discuss the vulnerability on social media places like Twitter, GitHub, etc. Maintain the confidentiality of your communication with the Hiveon team. Do not send reports or evidence to other users or companies.
Make sure your report includes the following:
- A clear and relevant title
- Affected service/API
- Vulnerability details and impact
- Steps to reproduce/Proof of Concept (e.g., video, screenshots from Burp Suite, curl commands, code snippets, etc.)
- Any other details you think are important
What happens after reporting a vulnerability
After you have submitted your report, we will respond to your report within five (5) working days and aim to triage your report within ten (10) working days. We will keep you informed of our progress. We assess issues in terms of impact, severity, and exploitation complexity.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. Once your vulnerability has been resolved, we welcome requests to disclose your report. However, please refrain from sharing information about any discovered vulnerabilities for 90 calendar days after you have received our confirmation of receiving your report.
We typically do not offer any cash rewards for submissions. However, we might make an exception in the case of valid critical bugs and high-quality reports. The amount of the reward is based on the maximum impact of the vulnerability. Well-written and useful submissions have a higher likelihood of being considered for a reward. You will qualify for a reward only if you are the first person to report a previously unknown flaw.