We at ENCIPHERS truly believe that whether it is a growing firm or a well-known enterprise, security should be given the utmost priority. As a team, of enthusiastic security researchers, we are investing each day by finding security vulnerabilities for our clients. Being a security services provider, we make sure that you are able to use our website and products securely. We are committed to the privacy and security of our user’s data. But YES, vulnerabilities are inevitable. For that sole reason, we are inviting security professional to test for any vulnerabilities on our website or products.
Whether it is a small vulnerability or a critical one, send us your report by filling the form below. If it a valid report, we will respond within 48-72 hours. As of now, we are not providing monetary rewards for Low and medium vulnerabilities. Monetary/Swag rewards are only provided for High and critical severity vulnerabilities. Though, we would be happy to put your name in our Hall Of Fame list.
Rules Of Engagement
When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for the Hall of Fame.
The following attributes are expected in a valid submission:
- Description of the vulnerability.
- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.
- Impact of the vulnerability an exploit scenario.
- Proof of concept.
- Any reference link
Currently only below are in scope:
- www.enciphers.com (excluding out of scope domains)
Out Of Scope
Anything which looks like a test domain, or not a production website. Like, training.enciphers.com (removed domain).
Note: Please refrain from doing any stress testings like DoS or DDoS as it can pose a problem for our users.
Not Applicable Vulnerabilities
Please refrain from sending us a report on the below issues. Even if they are reproducible, ENCIPHERS consider them as Informational and not a security vulnerability.
- Issues found through automated testing
- Presence of banner or version information
- OPTIONS / TRACE HTTP method enabled
- “Advisory” or “Informational” reports such as user enumeration
- Vulnerabilities requiring physical access to a system
- Missing CAPTCHAs
- Default web server pages
- Brute-force attacks
- Content injection
- Hyperlink injection in emails
- Content Spoofing
- Issues relating to password policy
- Full-path disclosure
- Version number information disclosure
- WordPress related vulnerabilities: - XML.RPC being accessible publicly (without any exploit POC) - Username enumeration
- CSRF-able actions that do not require authentication (or a session) to exploit
- Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
- Reports related to the following security-related headers: - Strict Transport Security (HSTS) - XSS mitigation headers (X-Content-Type and X-XSS-Protection) - X-Content-Type-Options - Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Click-jacking (without a valid exploit)
- DOS vulnerabilities
Responsible Disclosure Form
Currently, we are not providing any monetary rewards. As a token of appreciation for your work, we will add you to our Hall of Fame.
Have more questions? Need our PGP key? Send an email to firstname.lastname@example.org.
Happy Hacking .:)