Keep user information safe and secure are our top priority and a core company value at Andalin. We are pleased with contribution from external security researchers and look forward to awarding them for their invaluable contribution to the security of all Andalin users.
If you (Security Researchers) comply with the policies below when reporting a security issue to Andalin, we (Andalin) will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We acknowledge your contribution towards Andalin system security. You can refer to the following disclosure policy:
In principle, any Andalin-owned subsidiary web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:
*Note: we will proceed the reward in maximum 90 (ninety) days after the Bug Bounty Report is deemed as valid and verification is completed.
Q: What if I found a vulnerability, but I don't know how to exploit it?
A: We expect that vulnerability reports sent to us have a valid attack scenario to qualify for a reward and we consider it as a critical step when doing vulnerability research. Reward amounts are decided based on the maximum impact of the vulnerability, and the panel is willing to reconsider a reward amount, based on new information (such as a chain of bugs, or a revised attack scenario)
Q: Who determines whether my report is eligible for a reward?
A: The reward panel consists of the members of the Andalin Security Team.
Q: When will reward be paid?
A: You will be paid after the vulnerabilty has been fixed by our engineer. So give us reasonable time to fix it.
Q: What happens if I disclose the bug publicly before you had a chance to fix it?
A: Please read our Disclosure Policy. In essence, our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, and we cancel the reward. And if it contains sensitive information, it doesn't close the possibility to litigate by applicable laws.
Q: What happens if I hit your servers multiple times using a short time interval?
A: You are not allowed to hit our servers without a delay. Please use at least 1 second delay for every request of your test. Requests that hit our servers many times in more than 1 second will be considered as an attack to our servers. We will block your IP address and we might take legal action.