Empuls Bug Bounty Program

At Empuls, we understand that consumer data protection is high priority and a significant responsibility that requires constant monitoring. We deeply value all those in the security community who help us ensure 100% security of our systems at all times.
‍
We believe that responsible disclosure of security vulnerabilities helps us maintain our users' utmost security and privacy. We invite security researchers to report any security vulnerability they may encounter in our products. Those submitting bugs within the scope of our program will be heartily rewarded for their support and security expertise.

How it works

If you notice any potential security issue while meeting all the required criteria in our policy, contact us at [email protected] to create a ticket.
Our security team will validate the severity and authenticity of the reported issue within 90 days.
After validation, our team will take steps to fix the security issues with our security policies.
Once the issue is resolved, our team will inform the owner of the ticket.

Eligibility

To be eligible for a reward, the following requirements must be met by you:

You must be the first person to report a vulnerability to Empuls.
The issue must impact any of the applications listed under our defined scope.
The issue must fall under the ‘Qualifying’ bugs listed.
Publishing of vulnerability information in the public domain is not allowed.
Any information about the vulnerability issue must be kept confidential until the issue is resolved.
No privacy policies set by Empuls must be violated when performing security testing.
Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.

Violation of any of these rules can result in ineligibility or removal from the Empuls bug bounty program.

Guidelines

Use only the identified channel [email protected] to report any security vulnerability.
While raising the ticket, ensure that the description and potential impact of the vulnerability is mentioned.
Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
A complete video POC should be attached, showing all the steps and information.
Details about the scope and qualification criteria are mentioned below.

Scope

Platform: https://empulsaccounts.xoxoday.com
Out-of-Scope websites: Staging subdomains, any other subdomain that is not connected to empuls.io

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

Cross-site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
SQL Injection
Server-Side Remote Code Execution (RCE)
XML External Entity Attacks (XXE)
Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
Exposed Administrative Panels that don't require login credentials
Directory Traversal Issues
Local File Disclosure (LFD) and Remote File Inclusion (RFI)
Payments Manipulation
Server-side code execution bugs
API Rate Limiting and Throttling
- Bypassing API rate limits.
- Race conditions and concurrency issues in API endpoints.

Non-Qualifying Vulnerabilities

Open-Redirects: 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them
Reports that state that software is out of date/vulnerable without a 'Proof of Concept'
Host header issues without an accompanying POC demonstrating vulnerability
XSS issues that affect only outdated browsers
Stack traces that disclose information
Clickjacking and issues only exploitable through clickjacking

CSV injection. Please see this article: CSV formula injection | Google
Best practices concerns
Highly speculative reports about theoretical damage. Be concrete
Self-XSS that can not be used to exploit other users
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated
Denial of Service Attacks
Brute Force Attacks
Reflected File Download (RFD)
Physical or social engineering attempts (this includes phishing attacks against Empuls employees)
Content injection issues
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Missing autocomplete attributes
Missing cookie flags on non-security-sensitive cookies
Issues that require physical access to a victim's computer
Missing security headers that do not present an immediate security vulnerability.
Fraud Issues
Recommendations about security enhancement
SSL/TLS scan reports (this means output from sites such as SSL Labs)
Banner grabbing issues (figuring out what web server we use, etc.)
Open ports without an accompanying POC demonstrating vulnerability
Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues

Reward

Bug Bounty rewards will be paid in the form of popular gift cards. The value of the gift card will depend upon the severity and quality of the bug as below:

Bug Severity

Reward Value

High

$250

Medium

$150

Low

$100

Note

The final decision on bug eligibility and rewarding will be made by Empuls. The program exists at the firm’s discretion and can be canceled at any time.