Security Disclosure Policy
This article is not a solicitation for software testing, penetration testing, security research, or debugging work.
We will not respond to solicitations.
We are dedicated to maintaining the security and privacy of the Iris Automation’s services and customer data. We actively welcome security researchers from the wider community who want to help us improve and maintain our products and services.
If you discover a security vulnerability, please give us the chance to fix it by emailing us at firstname.lastname@example.org. Publicly disclosing a security vulnerability without informing us first puts the wider community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Thank you for your work and interest in making the world safer and more secure!
Iris Automation will reward individuals and organisations with cash, prizes, and public recognition for reporting vulnerabilities to us. Please email email@example.com to disclose an issue.
If you would like to be eligible for a bounty or reward, please read ALL of this article carefully.
Rules & Etiquette
We ask that you follow the guidelines listed below to be eligible for the Bounty Program, please read these carefully.
- Never attempt to gain access to a user’s account or data.
- Never attempt to degrade our services.
- Never impact other users with your testing.
- Test only the in-scope domains within the list below.
- Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.
In-Scope Domains & Services
The following list of domains and services are in-scope for the Bounty Program. Please do not test or report issues with domains and services that are not listed here.
Only issues reported for in-scope domains are eligible for a bounty. Even for in-scope domains however the following list of attacks, vulnerabilities, services, methods, etc are out-of-scope, do not attempt them.
- DOS attacks
- Brute force attacks
- Physical vulnerabilities
- Social Engineering attacks
- CSRF on forms that are available to anonymous users
- Self-XSS and issues exploitable through Self-XSS
- Clickjacking and issues only exploitable through Clickjacking
- Functional, UI, and UX bugs such as spelling mistakes
- Descriptive error messages (e.g. stack traces, app, or server errors)
- HTTP error codes/pages
- Banner disclosure on common/public services
- Known public files or directories (e.g. robots.txt)
- Presence of web-browser autocomplete or save password permission
- User enumeration on login
- Absence of rate limits
The following researchers are listed based on their adherence to the above policy, their professionalism, and the significance or novelty of the issue disclosed.
- Akshat Dubey
- Jörg Steinsträter
- Who’s Next?