Aeromexico VDP
External Program
Submit bugs directly to this organization
Aeromexico VDP
External Program
Submit bugs directly to this organization
Aeromexico Vulnerability Disclosure Policy
Aeromexico proudly looks forward to collaborating with the cybersecurity’s researcher community in order to keep our systems and information safe and resilient. This program is designed to engage with researchers to responsibly report any vulnerability achieving enhanced cybersecurity defenses. By participating in this program, you adhere to the requirements of the Hacker One Community Member Terms and Conditions (https://www.hackerone.com/terms/community) and Hacker One Vulnerability Disclosure Guidelines (https://www.hackerone.com/disclosure-guidelines), excepting for those conditions explicitly stated in this policy.
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
Eligibility requirements In order to responsibly disclosure any vulnerability and to comply with the organization’s Vulnerability Disclosure Policy, the listed conditions must be followed:
Aeromexico does not accept vulnerability submissions from current employees, contractors, or their immediate family members.
This Vulnerability Disclosure Program does not offer monetary rewards or compensation of any kind.
Vulnerabilities in scope Any type of Cross site scripting (Stored, Reflected, DOM).
Any type of Injection (SQL, OS, XML).
Cross site request forgery (CSRF/XSRF) on authenticated forms or forms with sensitive actions.
Security misconfigurations with significant impact.
Business logic abuse with significant impact
Authentication/authorization bypass (broken access control).
Directory traversal - local file inclusion.
CRFL (Carriage Return Line Feed) attack.
Privilege Escalation (lateral and vertical).
Vulnerabilities out of scope When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
[List of out-of-scope items, unchanged por brevedad aquí, pero completamente incluido en el archivo.]
Scope Leniency This program will not accept submissions for assets that are not listed as in scope.
Program Rules Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Session Layer: HTTP Headers Researchers should add headers to requests such as:
X-HackerOne-Research: [H1 username]
Restrictions The following actions are strictly prohibited:
Post-exploitation of any vulnerability, including any loss-integrity modification or destruction of data.
Brute force, dictionary or password spraying attacks leading to account take over.
DOS/DDOS attacks.
Social engineering, phishing, vishing nor any type of social engineering attack.
Penetration testing to any infrastructure component.
Testing any avionics system such as navigation system, entertainment system, aircraft’s Wi-Fi system.
Physical attacks within the proximity of aircrafts or airport facilities.
Note: Any non-compliance with this policy shall be considered as grounds for disqualification.
Thank you for helping keep Aeromexico and our users safe!