Security Policy - Summary
We reward cybersecurity researchers' responsible disclosures on a first-reported basis, only if they meet the strict eligibility criteria. Please read the full policy below.Security Policy - Full
This Security Policy covers all of our websites and web applications. This website is operated by its developer ("we" or "us").
Introduction
Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy of our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
SCOPE: Eligible cybersecurity research submissions
Only the following submissions are eligible for a reward.
- Domain Theft: Theft of domain name "hard.email" or the creation of an unauthorized subdomain "ctf.hard.email".
- Defacement: Defacement of the website at https://hard.email or creation of an unauthorized webpage at "https://hard.email/ctf.html"
- Data Theft: Theft of data from an underlying database e.g. wp_ctf.db
- Login Bypass: Unauthorized access bypassing the login restrictions of the website e.g. login.php / forgot-password.php
- Admin Privilege: Gaining root access to the web server e.g. by creating a file at the location "/root/.ssh/ctf.txt" on the server which contains your email.
- Ransomware: Encrypt the file "/root/ctf/encryptme.doc" and prove by sending the decryption key.
OUT-OF-SCOPE: Submissions that are not eligible for a reward
Anything that is not explicitly identified in the Eligibility section would be ineligible. The following are explicitly prohibited.- Availability Attacks (without prior permission): DOS, DDOS, DRDOS or any other form of attack with or without botnets. Please note I can allow dedicated time slots for DDOS.
- OSINT: Enumeration, reconnaissance, version disclosures.
- Supply chain: Attacks on service providers and supply chain (e.g. Cloudflare, Vultr, AWS, Github,... the list is not exhaustive)
GROUND RULES
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attacks, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy and other relevant agreements;
- Report any vulnerability you have discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Handle the confidentiality of details of any discovered vulnerabilities according to our Security Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion or blackmail via any social media or forum or the darknet.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Other conditions
All cybersecurity researchers are normally eligible for a reward, with the following conditions.
- Anyone under the age of 18 years must obtain prior permission from a parent or legal guardian, and in such cases, the reward will only be sent to the parent/guardian. No payments to minors. No exceptions.
- No reward will be paid in Bitcoin or other cryptocurrency or by Western Union or Paypal or similar payment gateways.
- Payment will be made only to bank accounts provided IBAN and BIC/Swift codes are available.
- No reward will be paid to accounts in countries that are subject to international sanctions. No exceptions.
How to claim your bug bounty
This part is easy. Email us (a) the proof of eligibility, (b) steps to reproduce, and (c) optionally - recommended remedy. Upon verification, we will reply to your email. Please give us two weeks for this verification process. Longer time may be required for particularly complex attacks. Please do not make any public disclosure without prior written permission.
Changes
The Security Policy may be updated from time to time, so please check back on a regular basis for any changes. The last modification date of this document is shown at the bottom of this page.
Last update: 9 May 2023