HALL OF FAME

BYTE BLOGGERBASE RESPONSIBLE DISCLOSURE PROGRAM

Introduction

At Byte Blogger base, we take system security very seriously and continuously work to maintain a safe and secure environment for all users. However, ensuring system security is an ongoing process, and we welcome any reports of security vulnerabilities associated with our Byte Bloggerbase services.

Byte Bloggerbase invites skilled security researchers to participate in our Vulnerability Disclosure Program. As external security researchers, you can engage with Byte Bloggerbase by reporting any vulnerabilities to us in accordance with our Responsible Disclosure Policy. Byte Bloggerbase reserves the right to validate the reports' validity based on the impact of the vulnerability.
Policy
  • -> Byte Bloggerbase genuinely values the assistance of security researchers and others in the security community to help keep our systems secure. However, we insist that researchers follow the rules set out in this Responsible Disclosure Policy when reporting a vulnerability to us
  • -> Reach out to [email protected] if you have found any potential vulnerabilities in our product and infrastructure that meet the criteria mentioned in the policy below.
  • -> Our security team will acknowledge your submission within 72 hours
  • -> Byte Bloggerbase will define the severity of the issue based on its impact and ease of exploitation.
  • -> We may take 3 to 5 days to validate the reported issue.
  • -> Please refrain from accessing sensitive information (by using a test account and/or system),performing actions that may negatively affect other Byte Bloggerbase users (such as denial of service), or sending reports from automated tools.
  • -> You must not exploit a security vulnerability that you discover for any reason.
  • -> Perform research only within the scope set out below.
  • -> As a researcher, you are not permitted to access, download, or modify data residing in any other account that does not belong to you or attempt to do any such activities
  • -> Keep information about any vulnerability confidential until the issue is resolved. Do not publicly disclose details of a security vulnerability that you have reported without Byte Bloggerbase`s permission.
  • -> Byte Bloggerbase commits to publicly acknowledge and recognize your responsible disclosure on our Hall of Fame page.
  • -> Byte Bloggerbase determines recognition in the Hall of Fame based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the Hall of Fame at all.
  • -> In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Byte Bloggerbase determines duplicates and may not share details on the other reports).
Reporting Guidelines
  • -> To register yourself after identifying a vulnerability, please send an email to security Byte Bloggerbase.com with the details
  • -> After registration, please only use the registered email ID when interacting with the Byte Bloggerbase security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team regarding vulnerabilities or any program-related issues, unless instructed to do so.
  • -> In your report, please provide the following details:
    • 1 Description and potential impact of the vulnerability;
    • 2 A detailed description of the steps required to reproduce the vulnerability;
    • 3 Screenshots and video POC, if available;
    • 4 Your preferred name/handle for recognition in our Security Researcher Hall of Fame.
Target Scope
Only the following domains are included in the scope of this program, and researchers are recommended to look for security vulnerabilities within them:

*.ByteBloggerbase.com
Exclusion of Third-Party Software:
As part of providing services to its customers, Byte Bloggerbase uses integrations with thirdparty software. This program does not extend to any such third-party software, and bugs or vulnerabilities detected in such third-party software will not be considered a valid find. Nonetheless, any such vulnerabilities communicated to Byte Bloggerbase may be further transmitted/informed to the third-party service provider.
In-Scope Vulnerabilities
  • -> Remote code execution (RCE)
  • -> Account takeover attack (ATO)
  • -> SQL/XXE Injection and Command injection
  • -> Stored Cross-Site Scripting and impactful Reflected XSS
  • -> Server-side request forgery (SSRF)
  • -> Misconfiguration issues on servers and application
  • -> Authentication and Authorization vulnerabilities including horizontal and vertical escalation
  • -> Cross-site request forgeries (CSRF)
  • -> Sensitive information leak and IDOR
  • -> Domain take-over vulnerabilities
  • -> Any vulnerability that can affect the Byte Bloggerbase Brand, User (Customer/Merchant) data, and financial transactions
Out-of-Scope Vulnerabilities
  • -> Social engineering (including phishing) with any Byte Bloggerbase staff or contractors
  • -> Denial of Service, Distributed-DoS
  • -> X-Frame-Options related, missing cookie flags on non-sensitive cookies;
  • -> Missing security headers that do not lead directly to a vulnerability (unless you deliver a Pock)
  • -> Version exposure (unless you deliver a Pock of working exploit)
  • -> Directory listing with already publicly readable content
  • -> HTML injection and Self-XSS
  • -> Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt, etc
  • -> Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
  • -> Log-in or forgotten password page brute forcing and account lockout not being enforced
  • -> Application denial of service by locking user accounts
  • -> Reports from automated scripts or scanners
  • -> Clickjacking and issues only exploitable through clickjacking
  • -> No / weak captcha/captcha bypass
  • -> SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
  • -> HTTP TRACE or OPTIONS methods enabled
  • -> Login/logout CSRF
  • -> Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • -> Reflected XSS (unless you deliver a Pock showing impact)
  • -> Formula Injection or CSV Injection
  • -> EXIF data not stripped on images
  • -> Rate limiting
  • -> Missing HTTP security headers and cookie flags on insensitive cookies
  • -> Email - issues related to SPF/DKIM/DMARC
  • -> User email enumeration
Byte Bloggerbase reserves its right to expand this list and includes additional exclusions when required.
Acknowledgments
We do not offer a bounty or cash reward program for security disclosures, but we express our gratitude to security researchers publicly. As a gesture of appreciation and goodwill, we will add your name to our Hall of Fame. If you want to be recognized, please provide us with your name, Twitter handle, or LinkedIn profile as you wish it to be displayed on our Hall of Fame page.
Go to The Hall Of Fame Next image