Details

No technology is perfect, and Endless Group believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Raisable Information

Endless Group's HackerOne program includes Raisable, our in-house developed fundraising platform. Raisable's domains are included below. Reports submitted for Raisable are handled by the same response team as reports for our other services, but may have a faster respon This same policy, including all rules regarding the use of automated tools, applies to Raisable as well as our standard services.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
SPAMMING ANY OF OUR SIGNUP OR SUPPORT FORMS WILL RESULT IN YOU BEING BLOCKED FROM THE PROGRAM!
At this time we can only offer in-service rewards. If you would like these rewards, please let us know once your bug is marked as resolved. These rewards include things such as plan upgrades.
Most of our services use programs or code created by other companies. Our ticket resolution time, as well as our ability to disclose vulnerabilities, will depend on those external companies, where applicable. We reserve the right to refuse public disclosure of any issue at the request of an external company. Additionally, we may not be able to accept a bug report for external software, especially in the case of any software that does not have their own report/ticketing system

Exclusions

While researching, we'd like to ask you to refrain from:

Denial of service
Spamming
Social engineering (including phishing) of Endless Group staff or contractors
Any physical attempts against Endless Group property or data centers
Spamming our support or signup forms using automated tools

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of Scope

Besides the domains/things listed as Out of Scope below, the following are also considered N/A:

Hosting customer owned sites (*.endl.site), or anything that is user-generated content on the service.
Attacking random addresses on our CIDR range. Our CIDR range includes customer sites. Please do not scan and attack addresses on this range without a forward or reverse DNS answer that is listed as in scope below, as otherwise you will be disrupting services not owned by Endless Group. Attacks against customer owned sites or IP addresses are NOT COVERED by our safe harbor policy!
Insecure-Cookies as these generally do not pose a large security risk.
Clickjacking vulnerabilities as these also generally do not pose a large risk.
HSTS/HSTS-Preloading.
Password auth allowed on SSH-- we utilize a one-time-use password system.
Invalid SPF Setups (This only applies to GMail. Please test with other providers prior to reporting).
Account existence/valid email disclosure-- this is almost impossible to avoid given the nature of our services.

Thank you for helping keep Endless Group and our users safe!

Raisable Information

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

SPAMMING ANY OF OUR SIGNUP OR SUPPORT FORMS WILL RESULT IN YOU BEING BLOCKED FROM THE PROGRAM!

At this time we can only offer in-service rewards. If you would like these rewards, please let us know once your bug is marked as resolved. These rewards include things such as plan upgrades.

Most of our services use programs or code created by other companies. Our ticket resolution time, as well as our ability to disclose vulnerabilities, will depend on those external companies, where applicable. We reserve the right to refuse public disclosure of any issue at the request of an external company. Additionally, we may not be able to accept a bug report for external software, especially in the case of any software that does not have their own report/ticketing system

Safe Harbor

Out of Scope

Besides the domains/things listed as Out of Scope below, the following are also considered N/A:

Hosting customer owned sites (*.endl.site), or anything that is user-generated content on the service.

Attacking random addresses on our CIDR range. Our CIDR range includes customer sites. Please do not scan and attack addresses on this range without a forward or reverse DNS answer that is listed as in scope below, as otherwise you will be disrupting services not owned by Endless Group. Attacks against customer owned sites or IP addresses are NOT COVERED by our safe harbor policy!

Insecure-Cookies as these generally do not pose a large security risk.

Clickjacking vulnerabilities as these also generally do not pose a large risk.

HSTS/HSTS-Preloading.

Password auth allowed on SSH-- we utilize a one-time-use password system.

Invalid SPF Setups (This only applies to GMail. Please test with other providers prior to reporting).

Account existence/valid email disclosure-- this is almost impossible to avoid given the nature of our services.

Thank you for helping keep Endless Group and our users safe!