Scope

For now, only the DRIVE2 web application (www.drive2.ru) is in scope. The valid attack surface is anything on that domain and any subdomains except ones explicitly mentioned in the "Scopes" section below. However, if you find any vulnerabilities in our other products, you're welcome to report them as well.

We are most interested in the following vulnerabilities:

• Remote Code Execution (RCE)
• Privilege Escalation
• Account Takeover
• Cross-site Scripting (XSS)

Please do not report:

• Missing Content-Security-Policy and Feature-Policy headers
• Username, email, and phone number enumeration
• Paths exposed in our robots.txt file
• Disabled "X-XSS-Protection" header
• Concerns about 3rd party JavaScript and mixed content
• Lack of X-Frame-Options header, unless the page can really be clickjacked

Out of scope

Both search functions are provided by a 3rd party https://www.drive2.ru/market/ https://www.drive2.ru/search/

Reporting Policy

When submitting the report, make sure to include:

• A short summary
• Steps to reproduce
• Security impact (if not clear from the summary/description)

Disclosure Policy

We will abide by HackerOne's disclosure guidelines.. Disclosure is possible only after the issue you reported is fixed and confirmed to be safe to disclose by our developers.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Utilising automated scanners that may have an impact on our systems
• Spamming
• Social engineering (including phishing)
• Anything requiring physical access

Thank you for helping keep DRIVE.NET, Inc. and our users safe!

Естественно, мы также принимаем отчеты на русском языке. Спасибо, что помогаете нам стать безопаснее.