Policy

Thank you for helping us keep Chillitray Technologies users safe! We ask that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us;
  • Report vulnerabilities as soon as you discover them;
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Chillitray Technologies until we’ve had 18 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 48 hours of submission).
  • In case of Non-duplicate valid submissions, we’d provide Hall of Fame & Suitable Remuneration (if any).

Scope

In-scope

Out of Scope

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Findings from applications or systems not listed in the Scope section.
  • Vulnerability reports with video only PoCs.
  • Reports that state that software is out of date or vulnerable without a proof of concept.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  • Recently disclosed zero-day vulnerabilities. We need time to patch our systems just like everyone else - please give us 15 days before reporting these types of issues.
  • Issues in third-party services should be reported to the respective team. Please take a look at the “Third-Party Services” section for more information.
  • Any Rate limiting is strictly prohibited.

The following issue types are excluded from scope:

  • Network-level Denial of Service (DoS/DDoS) vulnerabilities.
  • Low severity issues that can be detected with tools such as Hardenize and Security Headers.
  • XSS issues that affect only outdated browsers.
  • Content injection issues.
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
  • Missing cookie flags on non-security-sensitive cookies.
  • UI and UX bugs (including spelling mistakes).
  • CSV and Excel injection.
  • 401 page injection.
  • Stack traces that disclose information.
  • Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Banner grabbing issues (figuring out what web server we use, etc.).
  • Any Rate limiting on any forms or features.
  • SPF / DKIM / DMARC / ARC Related reports.
  • Clickjacking issues.
  • HSTS & Related issues

Reporting

If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us via our report form. Please provide detailed reports with reproducible steps. If a report is not detailed enough to reproduce the issue, it will not be eligible for a bounty.

Rewards

If you are the first to report an issue, and we make a code or configuration change based on the issue, we will award you:

Severity CVSS Award
Critical 9.0 - 10.0 HOF $
High 7.0 - 8.9 HOF
Medium 4.0 - 6.9 HOF
Low 0.1 - 3.9 HOF
None 0.0 - 0.0 N/A

Third-Party Services

Chillitray Technologies uses the following third-party services. If you discover an issue in one of these services, please report it to the appropriate security team.