Knorish bug bounty program

Knorish recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Knorish customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

Severity Levels

All issues reported to Knorish will be tagged with the severity level. This severity level is based on our self-calculated common vulnerability scoring system score for each specific vulnerability report. There are four severity levels: critical, high, medium, and low. Based on the applicable severity level, we reward security researchers.

Critical

High

Medium

Low

Severity Level - Critical

Vulnerabilities that score in the critical range usually have most of the following characteristics:

Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

Severity Level - High

Vulnerabilities that score in the high range usually have some of the following characteristics:

The vulnerability is difficult to exploit.
Exploitation could result in elevated privileges.
Exploitation could result in a significant data loss or downtime.

Severity Level - Medium

Vulnerabilities that score in the medium range usually have some of the following characteristics:

Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
Denial of service vulnerabilities that are difficult to set up.
Exploits that require an attacker to reside on the same local network as the victim.
Vulnerabilities where exploitation provides only very limited access. Vulnerabilities that require user privileges for successful exploitation.

Severity Level - Low

Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access.

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.

When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
Including a proof-of-concept for desktop vulnerabilities will expedite our investigation. We encourage you to use PGP encryption (key here).
If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely.
When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate.

The identified vulnerability shall have to be reported to our security team by sending us a mail from their registered email address to [email protected] (SUBJECT: VULNERABILITY ON KNORISH) (without changing the subject line else the mail shall be ignored and not eligible for bounty).

The mail should strictly follow the format below:

Individual details

Full name
Mobile number
Email
Any publicly identifiable profile (LinkedIn, Github etc.)
Want to get listed on Hall of Fame (Yes/No)

Bug details

Name of the Vulnerability
Areas affected

Impact and proof of concept

Detailed steps to reproduce with a video clip as proof of concept

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

Cross-site scripting
Cross-site request forgery in a privileged context
Server-side code execution
Authentication or authorization flaws
Injection Vulnerabilities
Directory Traversal
Information Disclosure
Significant Security Misconfiguration
SQL Injection
Remote Code Execution (RCE), Insecure Direct Object References(IDOR) vulnerabilities
Able to bypass payment flow
Authentication or authorization vulnerabilities
Domain take-over vulnerabilities
Bulk data leak vulnerabilities
Price manipulation with a successful transaction

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood. Once the report is accepted and resolved, it is necessary to conduct a full scan on the platform to identify similar vulnerabilities in order to qualify for the reward. We do not reward duplicate submissions within the same vulnerability category.

Program Exclusions

While we encourage any submission affecting the security of an Knorish web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

Known issues
Content spoofing / text injection
Self-XSS or XSS (cross-site scripting issues)
Self-Session Hijacking
Self-Session parameter tampering
Logout and other instances of low-severity Cross-Site Request Forgery
Cross-site tracing (XST)
Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)
Missing HTTP security headers
Missing cookie flags on non-sensitive cookies
Password and account recovery policies, such as reset link expiration or password complexity
Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
SSL/TLS best practices
Clickjacking/UI redressing with no practical security impact
Software version disclosure
Username / email enumeration via Login Page or Forgot Password Page error messages
Bug submissions
Any submissions by Knorish (or vendor) employee or their relatives or their colleagues

Disclosure

In the interest of fostering coordinated disclosure, Knorish will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Terms and Conditions

Please use your own account for testing or research purposes. Do not attempt to gain access to another user's account or confidential information.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Please do not test for spam, social engineering, or denial of service issues.
Please do not engage in any activity that can potentially or actually cause harm to Knorish, our customers, or our employees.
Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.
Do not store, share, compromise, or destroy Knorish or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Knorish. This step protects any potentially vulnerable data, and you.