Vulnerability Categories We Encourage
We are primarily interested in hearing about the following vulnerability categories.
Out of Scope Vulnerability Categories
The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit and/or bounty.
- SSL vulnerabilities related to configuration or version
- Denial of Service (DoS). There is also rate-limiting functionality on our service, that will kick in after abusive amount of requests is made. There is not need for you to test it and it also has different thresholds for different urls (e.g. much lower for auth related endpoints).
- User enumeration
- Password policies/2FA (we not trying to build bank here)
- Brute forcing
- Secure flag not set on non-sensitive cookies
- HTTP Only flag not set on non-sensitive cookies
- Logout Cross Site Request Forgery (CSRF)
- Handling of CSRF token (it is tied to particular app session cookie)
- HTTP access control (CORS)
- Cookie showmax_oauth not having a Secure flag set
- Certain services passing access_token in params
- Issues only present in old browsers/old plugins/end-of-life software browsers
- HTTP TRACE method enabled
- Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
- Clickjacking on pages without authentication and/or sensitive state changes
- Missing Content-Security-Policy (CSP)
- Open ports for services on the servers (e.g. open ssh)
- Reports related to password reset token handling, its immediate invalidation etc.
- Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
- Any physical attempts against Showmax property or data centers
- Social engineering (including phishing) of Showmax staff or contractors
- Email routing related issues, such as SPF, DKIM or DMARC configuration