Vulnerability Disclosure Policy
Last updated: September 02, 2020
Avora Holdings LTD (“Revenue Grid”) takes security, trust, and transparency with utmost seriousness. We appreciate the work of security researchers. We have introduced a program to make it easier to report vulnerabilities to Revenue Grid and to show appreciation of your effort to make the Internet a safer place. This policy provides our guidelines for reporting vulnerabilities.
Severity and Priority
Our focuses on security research are listed under “In Scope”, with their priority indicated.
The areas listed under ”In Scope” are explicitly eligible for the report program. Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- XML external entity attacks
- Cross-site scripting
- Cross-site request forgery
- Mixed content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
- Circumvention of our Services’ permissions model
- SQL injection
- Insecure SSL/TLS ciphers
- Use of a known vulnerable library
- Policies on presence/absence of SPF/DMARC/DKIM records
While this list represents our primary focus for security research, we are also interested in reports for all of our software and dependencies, especially if it impacts reasonably sensitive user data. This can include any open source libraries, software, or third-party components.
Out of Scope
The areas listed under “Out of Scope” are explicitly ineligible. We will not disclose vulnerabilities reported regarding Out of Scope areas.
Specifically, the following issues are outside of the scope of the program:
- Password, email, and account policies, such as email id verification, reset link expiration, and password complexity
- Vulnerabilities affecting the users of outdated browsers or platforms
- Logout cross-site request forgery
- Attacks requiring physical access to a user’s device
- XSS on any site other than those listed as “In Scope”
- Attacks that require an attacker app to have the permission to overlay on top of our app (e.g. tapjacking)
- Vulnerabilities that require a potential victim to install non-standard software or take any other active steps to make themselves susceptible
- Social engineering of our employees or contractors
- Any physical access attempts against our property or data centers
- Presence of the autocomplete attribute in web forms
- Missing cookie flags on non-sensitive cookies
- Any access to data where the targeted user operates a rooted mobile device
- Missing application of best practices
- Missing security headers which do not directly lead to a vulnerability
- Lack of CSRF tokens (unless there is evidence of actual sensitive user actions not protected by a token)
- Host header injections
- Reports from automated tools or scans that haven’t been validated manually
- Presence of a banner or version information, unless, indicating a vulnerable version
Any issues already known to us. These vulnerabilities are considered Out of Scope.
To report a vulnerability to Revenue Grid, please email us at [email protected]
All aspects of this process are subject to change without notice, and to case-by-case exceptions.