Cyber Security Management

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories.

Authentication bypass for login to My Account

SQL Injection (SQLi)

Data Exposure

Remote Code Execution

Authorization bypass for asset playback

Cross Site Scripting (XSS)

Redirection Attacks

Clever vulnerabilities or unique issues

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit and/or bounty.

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS). There is also rate-limiting functionality on our service, that will kick in after abusive amount of requests is made. There is not need for you to test it and it also has different thresholds for different urls (e.g. much lower for auth related endpoints).
  • User enumeration
  • Password policies/2FA (we not trying to build bank here)
  • Brute forcing
  • Secure flag not set on non-sensitive cookies
  • HTTP Only flag not set on non-sensitive cookies
  • Logout Cross Site Request Forgery (CSRF)
  • Handling of CSRF token (it is tied to particular app session cookie)
  • HTTP access control (CORS)
  • Self-XSS
  • Cookie showmax_oauth not having a Secure flag set
  • Certain services passing access_token in params
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • HTTP TRACE method enabled
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Missing Content-Security-Policy (CSP)
  • Open ports for services on the servers (e.g. open ssh)
  • Reports related to password reset token handling, its immediate invalidation etc.
  • Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
  • Any physical attempts against Showmax property or data centers
  • Social engineering (including phishing) of Showmax staff or contractors
  • Spamming
  • Email routing related issues, such as SPF, DKIM or DMARC configuration


Support Wala has been at the forefront of providing quality managed technical services to various companies for more than 10 years. Our areas of expertise include dedicated technical support, high availability and high-load projects implementation, infrastructure management as well as server management.