Go to https://enter.health and click "Sign In" to register.
Enter recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Responsible disclosure includes:
- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program
- Be the first to submit this particular vulnerability
- Not disclose or discuss the vulnerability outside of this program before or after submitting it
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Making a good faith effort to not leak or destroy any user data.
- Not defrauding Enter users or Enter itself in the process of discovery.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
Eligibility
Enter reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.
The following attributes are expected in a valid submission:
- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.
- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it
- What is the potential impact of the bug?
- How could a malicious user potentially benefit from this issue?
** Exclusions**
In general, the following would not meet the threshold for severity:
- Absolutely no automated test results should be submitted.
- Vulnerabilities on sites hosted by third-party site not listed in the scope unless they lead to a vulnerability on the main application
- Denial of service
- SPF records
- Vulnerabilities in third party applications which make use of the Enter API
- Issues, particularly man-in-the-middle attacks, surrounding one-time use csrf tokens and regeneration of session ids.
- Password complexity
- Attacks requiring physical access to the victim's machine
- Clickjacking attacks likely won't meet the threshold for severity since we require framing of certain sections of our site
- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options
- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1
- Strict transport security (HSTP/HSTS) is not enforced
- Lack of HTTPOnly or secure flag on non-session cookies
- CSRF token verification missing from pages (unless you can do something impactful with the request)
- Autocomplete enabled
- Banner disclosures
- Session timeout
- Window.opener issues
- Clickjacking
- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)
- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)
- Text / content injection
- Email spoofing directly or as it ties to any of our contact forms
- DNSSEC configuration
- Rate-limiting on endpoints
- Password stuffing attacks, in general
- Generic error messages
- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)
- Control-character injection (unless you can do something impactful against users other than yourself)
- Attacks that only work against yourself (e.g. host header injection, self-XSS)
- Account-age issues
- Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)
- Recently released zero-day vulnerabilities. Please give us time to patch.
The goal for this bug bounty program is to demonstrate exploitable vulnerabilities.
Rewards
The minimum payout is $250 for reporting a previously unknown security vulnerability of sufficient severity with the possibility for direct exploitation. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. We may reward $25 - $50 in cases where our security is adjusted for better defense-in-depth, but no direct exploitation is possible.
Thank you for helping keep our community safe!
