Andalin Bug Bounty

In Scope Vulnerabilities

• SQL Injection
• Cross-site Scripting (XSS)
• Significant Authentication Bypass
• Access Control Issues (Insecure Direct Object Reference issues, etc)
• Cross-site Request Forgery in Critical Action
• Information disclosure of Sensitive Information
• Server-Side Request Forgery (SSRF)
• Server-side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Exposed Administrative Panels that don't require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD)
• Server Side Template Injection (SSTI)

Out of Scope Vulnerabilities

• Self-XSS (we require evidence on how the XSS can be used to attack another Andalin user).
• We will accept reports of XSS on Out of Scope Properties but will not reward for them.
• XSS issues that affect only outdated browsers.
• Reports that state that software is out of date/vulnerable without a proof of concept.
• Password, email and account policies, such as email id verification, reset link expiration, session expiration, password complexity.
• Missing forbidden status for hidden or metadata files that are incorrectly uploaded to the server.
• Missing security headers which do not lead directly to a vulnerability.
• Missing best practices (we require evidence of a security vulnerability).
• Host header injections unless you can show how they can lead to stealing user data.
• Reports of spam (i.e., any report involving ability to send emails & SMS without rate limits).
• Stack traces that disclose information.
• CSV injection.
• Highly speculative reports about theoretical damage. Be concrete.
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
• Social Engineering (Phishing, Fraud, etc.).
• Denial of Service Attacks.
• Reflected File Download (RFD).
• Window.opener (tabnabbing), related issues.
• Physical or social engineering attempts (this includes phishing attacks against Andalin employees).
• Content injection issues.
• Most Brute Forcing issues
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Missing autocomplete attributes.
• Phishing risk via unicode/punycode or RTLO issues.
• Being able to upload files with wrong extension in chooser.
• Missing cookie flags on non-security-sensitive cookies.
• Issues that require physical access to a victim’s computer.
• Missing security headers that do not present an immediate security vulnerability.
• Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only
• Fraud issues (please see the below section elaborating on this).
• SSL/TLS scan reports (this means output from sites such as SSL Labs).
• Banner grabbing issues (figuring out what web server we use, etc.).
• Open ports without an accompanying proof-of-concept demonstrating vulnerability.
• Recently disclosed 0 day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
• Entering the Andalin offices, throwing crisps everywhere, unleashing a bunch of hungry racoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
• Open redirect (except you can get users token / sensitive info).
• Clickjacking , we will accept clickjacking if it severe enough (sensitive page).

Bug Severity Terms

• Low
• Medium (Rewards)
• High (Rewards)
• Critical (Rewards)

Frequently Asked Questions