RESPONSIBLE DISCLOSURE

We at ENCIPHERS truly believe that whether it is a growing firm or a well-known enterprise, security should be given the utmost priority. As a team, of enthusiastic security researchers, we are investing each day in finding security vulnerabilities for our clients. Being a security services provider, we make sure that you are able to use our website and products securely. We are committed to the privacy and security of our user’s data. But YES, vulnerabilities are inevitable. For that sole reason, we are inviting security professional to test for any vulnerabilities on our website or products (under scope).

Whether it is a small vulnerability or a critical one, send us your report by submitting the form below. As of now, we are not providing monetary rewards for low & medium severity vulnerabilities. Monetary/Swag rewards are only provided for High and critical severity vulnerabilities. Though, we would be happy to put your name in our Hall Of Fame.

Rules Of Engagement

When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for the Hall of Fame.

The following attributes are expected in a valid submission:

  • Description of the vulnerability
  • Steps for reproduce the vulnerability. If we cannot reliably reproduce the issue, we cannot fix it
  • Impact of the vulnerability an exploit scenario
  • Proof of concept

In-Scope

Only the following are in scope:

Out Of Scope

Anything which looks like a test domain, or not a production website. Like, test.enciphers.com.

Note: Please refrain from doing any stress testing like DoS or DDoS.

 

Not Applicable Vulnerabilities

Please refrain from sending us a report on the below issues. Even if they are reproducible,

ENCIPHERS consider them as Informational and not a security vulnerability.

  • Presence of banner or version information
  • OPTIONS / TRACE HTTP method enabled
  • “Advisory” or “Informational” reports such as user enumeration
  • Vulnerabilities requiring physical access to a system
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content injection
  • Hyperlink injection in emails
  • Missing SPF/DMARC records
  • Content Spoofing
  • Issues relating to password policy
  • Full-path disclosure
  • Version number information disclosure
  • XML.RPC being accessible publicly (Or enumeration using XML.RPC)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
  • Reports related to the security-related headers: Strict Transport Security (HSTS) – XSS mitigation headers (X-Content-Type and X-XSS-Protection) – X-Content-Type-Options – Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Click-jacking (without a valid exploit)
  • DOS vulnerabilities
  • Any theoretical issue, which does not seem to be exploitable

 

Responsible Disclosure Form



    Currently, we are not providing any monetary rewards. As a token of appreciation for your work, we will add you to our Hall of Fame.

     

    Have more questions? Need our PGP key? Send an email to security@enciphers.com.

     

    Happy Hacking  🙂