Empuls Bug Bounty Program

At Empuls, we understand that consumer data protection is high priority and a significant responsibility that requires constant monitoring. We deeply value all those in the security community who help us ensure 100% security of our systems at all times.

We believe that responsible disclosure of security vulnerabilities helps us maintain our users' utmost security and privacy. We invite security researchers to report any security vulnerability they may encounter in our products. Those submitting bugs within the scope of our program will be heartily rewarded for their support and security expertise.

How it works

  1. If you notice any potential security issue while meeting all the required criteria in our policy, contact us at support@empuls.io to create a ticket.
  2. Our security team will validate the severity and authenticity of the reported issue within 90 days.  
  3. After validation, our team will take steps to fix the security issues with our security policies.  
  4. Once the issue is resolved, our team will inform the owner of the ticket.

Eligibility

To be eligible for a reward, the following requirements must be met by you:

  1. You must be the first person to report a vulnerability to Empuls.  
  2. The issue must impact any of the applications listed under our defined scope.  
  3. The issue must fall under the ‘Qualifying’ bugs listed.  
  4. Publishing of vulnerability information in the public domain is not allowed.  
  5. Any information about the vulnerability issue must be kept confidential until the issue is resolved.  
  6. No privacy policies set by Empuls must be violated when performing security testing.
  7. Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.  

Violation of any of these rules can result in ineligibility or removal from the Empuls bug bounty program.

Guidelines

  1. Use only the identified channel support@empuls.io to report any security vulnerability.
  2. While raising the ticket, ensure that the description and potential impact of the vulnerability is mentioned.
  3. Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
  4. A complete video POC should be attached, showing all the steps and information.
  5. Details about the scope and qualification criteria are mentioned below.

Scope

  1. Platform: https://empulsaccounts.xoxoday.com
  2. Out-of-Scope websites: Staging subdomains, any other subdomain that is not connected to empuls.io

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Cross-site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Server-Side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
  • Exposed Administrative Panels that don't require login credentials
  • Directory Traversal Issues
  • Local File Disclosure (LFD) and Remote File Inclusion (RFI)
  • Payments Manipulation
  • Server-side code execution bugs
  • API Rate Limiting and Throttling
    - Bypassing API rate limits.
    - Race conditions and concurrency issues in API endpoints.

Non-Qualifying Vulnerabilities

  • Open-Redirects: 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them
  • Reports that state that software is out of date/vulnerable without a 'Proof of Concept'
  • Host header issues without an accompanying POC demonstrating vulnerability
  • XSS issues that affect only outdated browsers
  • Stack traces that disclose information
  • Clickjacking and issues only exploitable through clickjacking
  • CSV injection. Please see this article: CSV formula injection | Google
  • Best practices concerns
  • Highly speculative reports about theoretical damage. Be concrete
  • Self-XSS that can not be used to exploit other users
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated
  • Denial of Service Attacks
  • Brute Force Attacks
  • Reflected File Download (RFD)
  • Physical or social engineering attempts (this includes phishing attacks against Empuls employees)
  • Content injection issues
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Missing autocomplete attributes
  • Missing cookie flags on non-security-sensitive cookies
  • Issues that require physical access to a victim's computer
  • Missing security headers that do not present an immediate security vulnerability.
  • Fraud Issues
  • Recommendations about security enhancement
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • Open ports without an accompanying POC demonstrating vulnerability
  • Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues

Reward

Bug Bounty rewards will be paid in the form of popular gift cards. The value of the gift card will depend upon the severity and quality of the bug as below:

Bug Severity
Reward Value
High
$250
Medium
$150
Low
$100

Note

The final decision on bug eligibility and rewarding will be made by Empuls. The program exists at the firm’s discretion and can be canceled at any time.