NeedlAIBounty is committed to keep its product and service secure and safe to use for everyone. If you are a security researcher or expert, and believe you've identified security-related issues with NeedlAIBounty's website or apps, we would appreciate you disclosing it to us responsibly.
We appreciate your time and effort and we will try to respond as quickly as possible. Please provide detailed description of the issue so that it would be easy for us to validate and fix vulnerabilities at our end. We will keep you updated as we work to fix the bug you have submitted. We will not take legal action against you if you play by the rules and act in good faith.NeedlAIBounty reserves the legal right in case of any breach.
Responsible Disclosure Policy
Effective disclosure policy requires mutual trust, respect, and transparency between the security researchers and our security team.
- We request you to report any bug as soon as you discover. We request you not to do any public disclosure before it has been fixed. We will confirm acknowledgement within 48 working hours of submission.
- Keep the information about the vulnerability discovered confidential till we have resolved the problem.
- Avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Avoid using testcases or vulnerability testing tools that generates significant volume of traffic or disrupt our services.
- Refrain from accessing other user's account or data without permission.
- Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
- Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
- Do not use scanners or automated tools to find vulnerabilities. They're noisy and might result in suspension of your user account/IP Address.
- We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
- The vulnerability must be original and previously unreported. The first reporter will have the benefit of the reward.
- Any Improper public disclosure/ misuse of information will entitle us to take appropriate legal action.
- Don’t do anything illegal.
- Don't engage in any activity that exploits, harms, or threatens to harm children.
- Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
- Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
- Don't engage in activity that is false or misleading.
- Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
- Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
- Don't help others break these rules.
Out Of Scope
- Descriptive error messages (e.g. Stack Traces, application or server errors.
- SPF Misconfigured.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speed Bump when leaving the site.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- Open redirect - unless an additional security implication can be demonstrated
- Self XSS
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers
- Content Injection On Error Page
- Host header injections without a specific, demonstrable impact
- Brute Force attack
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Things To Consider Before Reporting
- Don't submit theoretical issue without a working POC
- Don't submit one line report , will be closed as Spam
- Mention the steps to reproduce clearly with proof of concept
- Don't report those issue listed as known issues else will be marked as Not Acceptable
Bounty Payout Scale