Bounty

At Eneba we’re happy to cooperate with the security research community and maintain a reward program for issues found.

If you believe you’ve detected a security issue and wish to claim a reward, please check the guidelines below.

Qualifying issues

Any issue that affects the confidentiality or integrity of user data is likely to be in the scope for this program. Common examples include:

1. Cross-site scripting
2. Cross-site request forgery
3. Mixed-content scripts
4. Authentication or authorization flaws
5. Server-side code execution bugs
6. Ability to retrieve keys not belonging to the user
7. Bypassing user verification procedures

Non-qualifying issues

Due to limited impact and/or resources required, certain issues may not qualify for a reward.

1. Issues requiring unlikely user actions. E.g. if a user needs to enter something manually in the console or install additional software, will not qualify.
2. Denial of Service vulnerabilities(DoS).
3. URL redirection.
4. Email spoofing for eneba.com domain. We are aware of issues that might arise with spoofed emails but it’s not something we deem a reward-worthy issue.
5. Enumeration attack. Bruteforce attacks will not be considered for a reward unless you demonstrate that there is a rate-limiting issue.

Disclosure procedure

Keep in mind that:

1. We will resolve the issue within 30 days of the disclosure.
2. The bounty will be decided and paid out after the resolution.
3. If the issue is disclosed elsewhere prior to the resolution it will be disqualified from receiving the reward.

For submission, please include:

1. Full description of the vulnerability including the exploitability and impact.
2. Document all steps required to reproduce the vulnerability.
3. PoC in video/screenshots.
4. Affected URL(s).
5. Files attempted to upload.

Report vulnerabilities to us by email security@eneba.com