REOL SERVICES

Exploit Disclosure and submission process.

Last Updated: Tuesday, 01 January 2017 02:43AM v091bh12

We always worked closely with Security Researches and awarded bug bounties to address possible and confirmed vulnerabilities.

We determine in our discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition.

Rewards may be provided on an ongoing basis so long as this program is active.

Reporting Possible Vulnerabilities

  • You must report a qualifying vulnerability through email or phone to be eligible for a monetary reward.

  • If you have an issue that affects only your own (account) please supply exact steps to reproduce the vulnerability

  • If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.

Report Template

Please be aware that the quality of your report is critical to your submission. Your report must contain the following items:

  • What type of issue are you reporting?
  • Is it CWE or OWASP issue?
  • How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
  • What is the impact of your issue?
  • What are some scenarios where an attacker would be able to leverage this vulnerability?
  • What would be your suggested fix?

Eligibility and Responsible Disclosure

Only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).

Accepted Issue Types:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Areas

Non-Qualifying Vulnerabilities:

  • Attacks requiring physical access to a infrastructure component or device
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Logout CSRF
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records
  • Content spoofing / text injection
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages