ALSCO

#ALSCO Promise ALSCO looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

#Secure Gateway Promise At ALSCO, we are committed to partnering with the security community to uncover vulnerabilities and safeguard our businesses and customers. Our flagship product, Secure Gateway, is uniquely developed with ALSCO's multi-patented technology and is a registered trademark of ALSCO. We envision Secure Gateway becoming a globally recognized, world-class product, setting new standards in security and innovation

#Rewards

• Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard)
• All bounty amounts will be at the discretion of the ALSCO Bug Bounty team.
• Reports submitted using methods that violate policy rules will not be eligible for a reward.
• To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.
• Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed, and the issue will be treated as one report.
• While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.
• Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.

#Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. ALSCO reserves all legal rights in the event of noncompliance with this policy.

#Program Eligibility

• You agree and adhere to the Program Rules and Legal terms as stated in this policy.
• You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.
• You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
• Publically-known Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
• Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.
• ALSCO employees and third-party assets employees are not eligible for participation in this program.
• Hackers should record a video showing full real-examples with a full explanation, how they can attack our application.
• The only full hack scenario will be accepted, e.g., edit the index page, or download the database.

#Program Rules

Do

• Read and abide by the program policy.
• Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.
• Exercise caution when testing to avoid negative impact to customers and the services they depend on.
• STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

Do NOT:

• Do not Brute force credentials or guess credentials to gain access to systems.
• Do not participate in denial of service attacks.
• Do not upload shells or create a backdoor of any kind.
• Do not engage in any form of social engineering of ALSCO employees, customers, or vendors.
• Do not engage or target any ALSCO employee, customer, or vendor during your testing.
• • Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.
• Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
• Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.

#Disclosure Policy

You may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside of the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to a ALSCO report, you must request permission on your report and you must receive written approval from a ALSCO team member.

#Legal

ALSCO reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can subscribe to receive email notifications when this policy is updated.

#Scope exclusions

• ALSCO reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Missing best practices in SSL/TLS configuration
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests
• Bruteforce oracle attacks against unauthenticated endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
• Tabnabbing
• Issues that require unlikely user interaction by the victim
• steal cookies from the browser (Using Cross Site Scripting (XSS).
• Everything that is not in ALSCO Hackerone [scope] will not qualify.
• any bugs in the [firewallgateway.com] domain, as it is just a redirect page hosted on a different server.

#Secure Gateway Bypasses At ALSCO, we view Secure Gateway bypasses as opportunities to enhance our Secure Gateway product rather than classify them as bugs. Consequently, any reports related to Secure Gateway bypasses will be marked as Informative. To validate your findings, please ensure all Secure Gateway bypass reports are reproducible on our test site http://checksw.com, which you are welcome to use for testing. Bypasses deemed innovative or particularly interesting may be eligible for a bonus at our program's discretion. Please note, similar bypass reports may be closed as Duplicate if they mirror previous submissions.

#Out of Scope The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Subdomain takeovers under *.checksw.com
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability. *Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.
• Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.
• Any activity that could lead to the disruption of our service (DoS).
• SaaS applications, even if published under Secure Gateway Firewall.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Lack of Secure or HTTP only flag on non-sensitive cookies.
• Open redirects without demonstrating an attack
• Email configuration issues without a PoC to demonstrate a specific flaw.
• Broken links without demonstrating an attack
• Issues with apps on the Secure Gateway or ALSCO marketplace that are created by third parties
• Business logic errors and misconfigurations are out of scope, but you are welcome to submit reports.
• we only accept reports concerning what is published within the ALSCO Program scope, everything else will be closed.

Any of the activities below will result in disqualification from ALSCO program permanently:

• Social engineering of ALSCO employees, contractors, vendors, or service providers.
• Physical attacks against ALSCO employees, offices, and data centers.
• Any Denial of Service attacks against ALSCO and our products.
• Any vulnerability obtained through the compromise of a ALSCO customer or employee account. Please contact us to create a free account to test potential vulnerabilities.
• Attempts to access/compromise customer assets that use ALSCO.
• Attempts to access/compromise any 3rd party vendor that ALSCO uses.
• Attacks against the integrity of ALSCO customers.

If you don't follow these guidelines we will not award a bounty for the report.

#Required Reporting Format *Submitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by ALSCO and Secure Gateway Team.

• Affected target, feature, or URL:
• Description of problem:
• Impact of the issue:
• Steps to reproduce:
• Proof of Concept:
• Is knowledge of this issue currently public?
• Any report that does not follow these guidelines will be rejected and closed.

#F.A.Q.

1. Can I get ALSCO swag? *We only give swag to hackers in certain countries.

2. Can ALSCO provide me with a pre-configured test account? *yes.

3. What is required when submitting a report?

4. How do I make my report great?

5. I submitted a report. Now what? I have questions.

6. What causes a report to be closed as Informative, Duplicate, N/A, or Spam?

7. if I found a bug that is not in ALSCO Program Scope, will I qualify for the bug bounty . *No. Only steps are within ALSCO Program Scope is available for the bounty bug.

8. What is an example of an accepted vulnerability? Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.

Please note that this is the only sandbox testing environment where many Secure Gateway security functions are disabled. So some hacking tools and methods will work here, but it's not going to work on the live product. Accordingly, we will check your report on the live version whether its work or not, we will let you know after checking the report, If it only works in a test environment that means its work because we have disabled many security features for testing, therefore the report will be closed.