Responsible Disclosure Policy

Appin Technology Lab. Ltd. will engage with external security researchers when vulnerabilities are reported according to the rules set about in the responsible disclosure policy.

Rules

  1. Submissions must adhere to the scope mentioned in this policy.
  2. Any information about the vulnerability must remain confidential between Appin Technology Lab and yourself indefinitely.
  3. The vulnerability cannot be disclosed in any medium or form.
  4. Do not perform an attack that would compromise the integrity of Appin Technology Lab services.
  5. DDOS for example is NOT allowed.
  6. You waive claims of any nature arising out of a disclosure accepted by Appin Technology Lab.

Requests for Compensation

We do only provide Hall of Fame (Acknowledgement on our own Website) & not provide monetary compensation for any vulnerability reported. Requesting compensation will make you non-compliant with this policy. Appin Technology Lab may however choose to send Certificate of Appreciation or Swag at its own discretion.

Scope

In Scope:

The following targets are considered in scope:
  1. Appin Technology Lab.’s website located at https://appinindore.com
  2. Appin Technology Lab. .’s web application located at https://{subdomain}.appinindore.com

Out of scope:

  • Social engineering
  • DDOS
  • Automation scripts and tools
  • Any spelling mistakes
  • Any UI/UX bugs
  • Issues that do not affect the latest version of modern browsers
  • General best practice concerns
  • Same issue under multiple subdomains
  • Self XSS
  • Open Redirect without proven security impact
  • Brute Force attacks
  • Man-in-the-Middle attack
  • Clickjacking without proven security impact
  • Disclosed Google API keys
  • Verbose messages/errors without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Tab-nabbing
  • Host Header Injection
  • Cross-domain referrer leakage
  • Email spoofing, SPF, DMARC or DKIM
  • Email bombing
  • Version disclosure
  • Issues that require unlikely user interaction
  • Broken link hijacking (e.g. social media links)
  • Weak SSL/TLS configurations reports
  • Disclosing API keys without any security impact
  • Physical attacks – Attacks that require physical access to a victim’s device
  • Recently disclosed 0-day vulnerabilities in third-party products
  • Reports without proof of exploitation
  • Stripping EXIF data – We choose not to strip EXIF data since customers need them. This is by design.
  • Known issues

How to Submit a Vulnerability Report

All vulnerabilities must be reported to security@appinindore.com with the following details:

Details:

  • Full Name:
  • Mobile Number:
  • LinkedIn Profile:
  • Bug Details:
  • Name of the Vulnerability:
  • Proof of concept:
  • Detailed steps to reproduce:

Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.

What we would like to see from YOU:

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from Appin Technology Lab:

  • A timely response to your email (within 3 business days).
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit/Acknowledgement/Certificate after the vulnerability has been validated and fixed.

Complying with this policy

As long as you follow the instructions laid out in this policy, Appin Technology Lab. will commit to the following:
  • We will not pursue civil or criminal legal action against you or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the party concerned. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.
  • We will work with you to understand the vulnerability and fix it.
  • We will keep you informed of the timeline to fix the vulnerability, post verifying its authenticity.

Public disclosure

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
‍THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH THEY SHALL BE LIABLE FOR LEGAL PENALTIES.

Get in Touch

First Name*
Last Name*
Phone Number*
Email*
City*
Qualification*
Powered by Bigin

Download Syllabus

Make an Inquiry