InstaSafe is committed to keep its product and service secure and safe to use for everyone. If you are a security researcher or expert, and believe you've identified security-related issues with InstaSafe's website or apps, we would appreciate you disclosing it to us responsibly.We appreciate your time and effort and we will try to respond as quickly as possible. Please provide detailed description of the issue so that it would be easy for us to validate and fix vulnerabilities at our end. We will keep you updated as we work to fix the bug you have submitted. We will not take legal action against you if you play by the rules and act in good faith.InstaSafe reserves the legal right in case of any breach.
Responsible Disclosure Policy
Effective disclosure policy requires mutual trust, respect, and transparency between the security researchers and our security team.
- We request you to report any bug as soon as you discover. We request you not to do any public disclosure before it has been fixed. We will confirm acknowledgement within 48 working hours of submission.
- Keep the information about the vulnerability discovered confidential till we have resolved the problem.
- Avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Avoid using testcases or vulnerability testing tools that generates significant volume of traffic or disrupt our services.
- Refrain from accessing other users account or data without permission.
- Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
- Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
- Do not use scanners or automated tools to find vulnerabilities. They're noisy and might result in suspension of your user account/IP Address.
- We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
- The vulnerability must be original and previously unreported. The first reporter will have the benefit of the reward.
- Any Improper public disclosure/ misuse of information will entitle us to take appropriate legal action.
Out Of Scope
- Descriptive error messages (e.g. Stack Traces, application or server errors.
- SPF Misconfigured.
- version disclosure.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers
- Content Injection On Error Page
- Host Header Injection (If only attacker able to redirect to supplied host name)
- Phpmyadmin,phppgadmin Panel/ or any other admin panel login page accessible
- Brute Force attack
Phpmyadmin , phppgadmin is open to public.
Some session issue like session is not expiring after logout,password reset , we are working on that.
Rate limit in login panel and password reset end point of safehats , we are working on that
Xmlrpc.php Dos and Login Bruteforce
Wordpress User info disclosure via REST API endpoint
Directory Listing on some endpoit like
/wp-includes/ we are working on that
Things To Consider Before Reporting
- Don't submit theoretical issue without a working POC
- Don't submit one line report , will be closed as
- Mention steps to reproduce with proof of concept
- Don't report those issue listed as known issues else will be marked as