Disclosure Policy
We will investigate legitimate reports and make every effort to quickly resolve any vulnerability.
To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following guideline: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
See our security.txt file for contact information.
Process
1. Download our public PGP key from our website
2. Add any message/files/report documents you wish to send us into a .zip file and encrypt it to create a .asc file
3. Email the .asc file to us in addition to your public key so we can respond to you in the same manner
- Warning: Please DO NOT send us unencrypted files or write anything in the email body
- Warning: Use discretion when adding a subject line to the email as well to avoid leaking potentially sensitive information
4. After you send us a report, you can expect the following process flow:
Languages
Currently our team is comprised of only English speakers. We plan to expand our language base as we progress.
Please communicate with us using any of the following languages:
Scope
The following domains are in scope:
- www.senteon.co
- app.senteon.co
- update.senteon.co
Test Exclusions
The following test types are excluded from the scope:
- Physical Penetration Testing such as accessing an office (e.g. open doors, tailgating).
- Social Engineering (e.g. phishing, vishing).
- Testing against applications or systems not listed in the "Scope" section.
Issue Exclusions
The following issue types are excluded from the scope:
| Issue Type |
|
Reasoning |
| Network-level Denial of Service (Dos/DDoS) vulnerabilities |
|
We do not want you to disrupt any of our services. |
| Low severity issues that can be detected with tools such as Hardenize or Security Headers |
|
We run regular scans already and try to improve our posture gradually. |
| Content injection |
|
The severity of these issues is so low that it does not warrant a report. |
| Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.) |
|
In order for CSRF to be a valid issue it must affect some important action e.g. deleting one's account. |
| Missing cookie flags on non-sensitive cookies |
|
These do not present a significant risk and are usually picked up by scanners already. |
| UI and UX bugs (including spelling mistakes) |
|
These do not typically present a significant risk. |
| Issues in third-party services |
|
These should be reported to the respective team. |
Other Exclusions
- Reports with video-only proof of concepts.
- Reports that state that software is out-of-date or vulnerable without a proof of concept.
- Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue.
Rewards
Our maximum bounty amount for a CVSS Score of 10 is $200. We calculate the other bounty amounts as listed below using this formula with an exponent n of 2
We will only reward reports that have an overall CVSS score of 5 or above. That being said, reports with a CVSS score below 5 might be accepted and resolved accordingly.
Rewards will be paid out via stored value cards i.e. preloaded debit cards / gift cards. Exact details can be negotiated with us.
| CVSS Score (Base Score & Environmental Score) |
|
Bounty Amount in USD ($) |
| 5 |
|
$50 |
| 6 |
|
$72 |
| 7 |
|
$98 |
| 8 |
|
$128 |
| 9 |
|
$162 |
| 10 |
|
$200 |