VIDIO BUG BOUNTY - TERM & CONDITIONS
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to Vidio you acknowledge that you have read and agreed to these Program Terms.
- ♦ Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.
- ♦ Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
- ♦ Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
- ♦ Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed.
- ♦ Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
- ♦ You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.
- Note: Legal actions will be taken against all attempts for prohibited testing.
- ♦ Cross-site Scripting (XSS)
- ♦ Cross-site Request Forgery
- ♦ Server-Side Request Forgery (SSRF)
- ♦ SQL Injection
- ♦ Server-side Remote Code Execution (RCE)
- ♦ XML External Entity Attacks (XXE)
- ♦ Access Control Issues (Insecure Direct Object Reference issues, etc)
- ♦ Exposed Administrative Panels that don't require login credentials
- ♦ Directory Traversal Issues
- ♦ Local File Disclosure (LFD)
- ♦ Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
- ♦ Publicly accessible login panels - These generally have low security impact and are in software that Vidio runs but doesn’t control.
- ♦ Reports that state that software is out of date/vulnerable without a proof of concept.
- ♦ Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
- ♦ XSS issues that affect only outdated browsers.
- ♦ Stack traces that disclose information.
- ♦ CSV injection. Please see this article.
- ♦ Best practices concerns.
- ♦ Highly speculative reports about theoretical damage. Be concrete.
- ♦ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
- ♦ Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- ♦ Denial of Service Attacks.
- ♦ Reflected File Download (RFD).
- ♦ window.opener-related issues.
- ♦ Physical or social engineering attempts (this includes phishing attacks against Pt. Kreatif Media Karya employees).
- ♦ Content injection issues.
- ♦ Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- ♦ Missing autocomplete attributes.
- ♦ Missing cookie flags on non-security-sensitive cookies.
- ♦ Issues that require physical access to a victim’s computer.
- ♦ Missing security headers that do not present an immediate security vulnerability.
- ♦ Fraud issues (please see the below section elaborating on this).
- ♦ SSL/TLS scan reports (this means output from sites such as SSL Labs).
- ♦ Banner grabbing issues (figuring out what web server we use, etc.).
- ♦ Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- ♦ Recently disclosed 0 day vulnerabilities. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
In-Scope Vulnerability Classes
Out-of-scope Vulnerability Classes
The Bounty shall hold strictly to the confidentiality and any related materials or information known by the bounty regarding the vidio bug, either directly or indirectly in writing, electronically orally or by inspection of tangible objects ("Confidential Information"). Except as otherwise expressly permitted by Vidio, the bounty shall not disclose any Confidential Information to third parties. The bounty shall take reasonable measures to protect the secrecy of, and to avoid disclosure and unauthorized use of, the Confidential Information, including but not limited to limiting the disclosure of such Confidential Information to third party and who have been advised of the confidential nature thereof, and have agreed not to disclose or use such Confidential Information except as permitted by Vidio. The bounty shall immediately notify Vidio in the event of any unauthorized or suspected use or disclosure of the Confidential Information. Notwithstanding the foregoing, the bounty shall have no obligations hereunder for any information which is already known to the bounty prior to disclosure by Vidio; publicly available through no fault of the bounty; lawfully and rightfully disclosed to the bounty by a third party under no confidentiality obligation to Vidio; or is independently developed by the bounty without reference to Confidential Information.
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by Vidio at any time, without notice. As such, Vidio may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Vidio posts any such changes, you accept the Program Terms, as modified.