Responsible Disclosure

Found a security problem in our Application? 

Let us know! The safety of our customer information is extremely important to us. That is why we strive continuously to keep our services secure. Nevertheless, sometimes something can go wrong. We appreciate it if you let us know, so that we can take measures. In this way, we work together to improve the security of our data and systems.

Rules:

Participation in our Responsible Disclosure Program is voluntary. By submitting a report to us, you are indicating that you have read and agree to follow the rules.

– You should be a citizen of Bangladesh.

– Research and disclose in good faith.

– Respect our users’ privacy.

– No extortion, shakedowns, or duress.

– Don’t leave any system in a more vulnerable state than you found it.

– Don’t publicly disclose a vulnerability without our consent.

– Do not test using social engineering techniques (phishing, vishing, etc.)

– Do not perform DoS or DDoS attacks.

– In any way attack our end users, or engage in the trade of stolen user credentials.

– Be respectful when interacting with our team, and our team will do the same.

– Do not use any automation tool which will make a huge traffic on server

– If you use any fuzzing tool make sure, You have select rate limitation : 3/5. Otherwise your IP will be ban from our server.

Eligibility:

One Ummah BD reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a swag/gift under this program, you should:

– Be the first to report a specific vulnerability.

– Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.

– Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties – including vulnerability brokers – before we addressed your report forfeit the gift.

– Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.

Rewards:

We will reward reports according to their severity on a case-by-case basis as determined by our security team.

Severity:

– Low (P4/P5) – None.

– Medium (P3) – Hall of Fame

– High (P2) – Hall Of Fame + T-shirt

– Critical (P1) – Appreciation Letter + Hall Of Fame + T-Shirt

In-Scope Vulnerabilities:

– Anything which is not in Out-of-Scope Vulnerabilities (listed below) will be considered as In-Scope Vulnerability that includes

– Descriptive error messages that expose credentials

Out-Of-Scope Vulnerabilities:

This section contains issues that are not accepted under this program.

The Following Findings Are Specifically Excluded From The reward :

– Descriptive error messages (e.g. Stack Traces, application or server errors)

– Open redirects

– Host header

– Fingerprinting/banner disclosure on common/public services.

– Disclosure of known public files or directories, (e.g. robots.txt).

– Lack of CSRF in forms intended for unauthenticated users.

– Lack of rate-limits on non authentication endpoints.

– Content Spoofing without embedded links/HTML

– Reflected File Download (RFD).

– Best practices concerns.

– HTML Injection

– window.opener-related issues.

– Highly speculative reports about theoretical damage. Be concrete.

– Missing HTTP security headers

– Infrastructure vulnerabilities, including:

DNS issues (i.e. MX records, SPF records, etc.)

Certificates/TLS/SSL related issues

– Attacks that require social engineering

– 0day vulnerabilities recently disclosed

– Need Physical access to victim device / browser

– DDoS

In Scope:

Domain : *.oneummahbd.shop

Out of Scope:

– Any third party services we use.

How To Report Security Issue?

If you find any security issue, please send the report to [email protected] with the following information :

 

– Subject : Bug Submission

– Summary

– Description

– Impacts

– Steps to reproduce

– Recommended Fix (Optional)