Andalin Bug Bounty

Keep user information safe and secure are our top priority and a core company value at Andalin. We are pleased with contribution from external security researchers and look forward to awarding them for their invaluable contribution to the security of all Andalin users.

If you (Security Researchers) comply with the policies below when reporting a security issue to Andalin, we (Andalin) will not initiate a lawsuit or law enforcement investigation against you in response to your report.

Andalin Bug Bounty

Keep user information safe and secure are our top priority and a core company value at Andalin. We are pleased with contribution from external security researchers and look forward to awarding them for their invaluable contribution to the security of all Andalin users.

If you (Security Researchers) comply with the policies below when reporting a security issue to Andalin, we (Andalin) will not initiate a lawsuit or law enforcement investigation against you in response to your report.

Disclosure Policy

We acknowledge your contribution towards Andalin system security. You can refer to the following disclosure policy:

  • You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data, and interruption or degradation of our services.
  • You are required to act in good-faith security research to prevent disruptions and produce minimum to no impact for Andalin and other Andalin users.
  • You do not exploit a security issue that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  • You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
  • For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person, except as part of vulnerability validation.
  • Andalin reserves the right to decide whether submitted reports are allowed to be published to the public or not.
  • Reports with ‘critical’ severity are not allowed to be published solely by Researchers.
  • If you want to publish the report to the public, you are required to submit a disclosure request via security@andalin.com and obtain written consent from Andalin, and wait at least 3 months after the vulnerability is fixed.
  • If you publish reports without Andalin consent (for any reasons : education, popularity, etc), we will not hesitate to initiate a lawsuit or take legal action against you.

Reporting Guidelines

  • For security bug report, please create report through this email: security@andalin.com , including proof of concept that contains: step by steps, screenshot and the remediation. Don't forget to attach proof of concept video to reproduce the vulnerability.
  • Please use full name that match with your Citizen ID and Bank Account.
  • Researchers are required to notify Andalin on their report if there are any privacy violations or disruptions that inadvertently occurred while finding vulnerability, such as unauthorized access to other users data, service configurations or other confidential information.

Bug bounty scope

In principle, any Andalin-owned subsidiary web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:

*.andalin.com

Andalin Website

In Scope Vulnerabilities

  • SQL Injection
  • Cross-site Scripting (XSS)
  • Significant Authentication Bypass
  • Access Control Issues (Insecure Direct Object Reference issues, etc)
  • Cross-site Request Forgery in Critical Action
  • Information disclosure of Sensitive Information
  • Server-Side Request Forgery (SSRF)
  • Server-side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Exposed Administrative Panels that don't require login credentials
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Server Side Template Injection (SSTI)

Out of Scope Vulnerabilities

  • Self-XSS (we require evidence on how the XSS can be used to attack another Andalin user).
  • We will accept reports of XSS on Out of Scope Properties but will not reward for them.
  • XSS issues that affect only outdated browsers.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Missing forbidden status for hidden or metadata files that are incorrectly uploaded to the server.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Host header injections unless you can show how they can lead to stealing user data.
  • Reports of spam (i.e., any report involving ability to send emails & SMS without rate limits).
  • Stack traces that disclose information.
  • CSV injection.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  • Social Engineering (Phishing, Fraud, etc.).
  • Denial of Service Attacks.
  • Reflected File Download (RFD).
  • Window.opener (tabnabbing), related issues.
  • Physical or social engineering attempts (this includes phishing attacks against Andalin employees).
  • Content injection issues.
  • Most Brute Forcing issues.
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
  • Missing autocomplete attributes.
  • Phishing risk via unicode/punycode or RTLO issues.
  • Being able to upload files with wrong extension in chooser.
  • Missing cookie flags on non-security-sensitive cookies.
  • Issues that require physical access to a victim’s computer.
  • Missing security headers that do not present an immediate security vulnerability.
  • Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
  • Fraud issues (please see the below section elaborating on this).
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Banner grabbing issues (figuring out what web server we use, etc.).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Recently disclosed 0 day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
  • Entering the Andalin offices, throwing crisps everywhere, unleashing a bunch of hungry racoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
  • Open redirect (except you can get users token / sensitive info).
  • Clickjacking , we will accept clickjacking if it severe enough (sensitive page).

Bug Severity Terms

  • Low
  • Medium (Rewards)
  • High (Rewards)
  • Critical (Rewards)

*Note: we will proceed the reward in maximum 90 (ninety) days after the Bug Bounty Report is deemed as valid and verification is completed.

Frequently Asked Questions

Q: What if I found a vulnerability, but I don't know how to exploit it?

A: We expect that vulnerability reports sent to us have a valid attack scenario to qualify for a reward and we consider it as a critical step when doing vulnerability research. Reward amounts are decided based on the maximum impact of the vulnerability, and the panel is willing to reconsider a reward amount, based on new information (such as a chain of bugs, or a revised attack scenario)

Q: Who determines whether my report is eligible for a reward?

A: The reward panel consists of the members of the Andalin Security Team.

Q: When will reward be paid?

A: You will be paid after the vulnerabilty has been fixed by our engineer. So give us reasonable time to fix it.

Q: What happens if I disclose the bug publicly before you had a chance to fix it?

A: Please read our Disclosure Policy. In essence, our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, and we cancel the reward. And if it contains sensitive information, it doesn't close the possibility to litigate by applicable laws.

Q: What happens if I hit your servers multiple times using a short time interval?

A: You are not allowed to hit our servers without a delay. Please use at least 1 second delay for every request of your test. Requests that hit our servers many times in more than 1 second will be considered as an attack to our servers. We will block your IP address and we might take legal action.