Details

==Do not fill out any forms on our www.greenfly.com web site requesting a login to Greenfly. These requests will not be granted.==

Greenfly looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Program Policy

Security researches will disclose potential weaknesses in compliance with the following guidelines:

Do

Attempt to find vulnerabilities within our "in scope" services (portal.greenfly.com, api.greenfly.com).
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Understand multiple vulnerabilities caused by one underlying issue should be combined into a single report.
Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Follow HackerOne's disclosure guidelines

Don't

Don't attempt to find vulnerabilities within our "out of scope" services (www.greenfly.com).
Don't fill out any forms on our "www.greenfly.com" web site requesting a login to Greenfly. These requests will not be granted.
Don’t cause harm to Greenfly, its customers, shareholders, partners or employees.
Don’t engage in any act that may cause an outage or stop any of Greenfly’s services. Any testing that has a negative impact on the availability of our products and services can result in being blocked or banned.
Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
Don’t store, share, compromise or destroy any Greenfly data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Greenfly.
Don't discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Greenfly.

Out of Scope Vulnerabilities

The following types of vulnerabilities are out of scope for this program:

Phishing and social engineering attacks
Issues on www.greenfly.com (our marketing web site)
Missing best practices in SSL/TLS configuration
Missing best practices in email configuration (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Rate limiting or brute-force issues (e.g. repeatedly requesting password resets)
Copy/pasting tool output (ex: WPScan results, SSL Labs links) as a report
Open redirect - unless an additional security impact can be demonstrated
Mobile Apps - Class, method name, or API token leak as a result of disassembly

Test Plan

When making any web requests to the Greenfly platform, please include the following HTTP header to help accelerate our validation of reports:

X-HackerOne-Username: <username>

Response Targets

Greenfly will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submit) - 5 business days
Time to triage (from report submit) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Submission Guidelines

All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Greenfly during triage.

Privacy and Security Notice

Greenfly is committed to leveraging technology in a way that provides you transparency on how we collect, process, and share personal information. In accordance with the terms of the Greenfly Privacy Policy you understand and agree that, by providing us with an inquiry or a submission, we may collect certain information about you, your device, and your use of the Greenfly platform.

Thank you for helping keep Greenfly and our users safe!

Attempt to find vulnerabilities within our "in scope" services (portal.greenfly.com, api.greenfly.com).

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Understand multiple vulnerabilities caused by one underlying issue should be combined into a single report.

Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.

Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.

Follow HackerOne's disclosure guidelines

Don't

Don't attempt to find vulnerabilities within our "out of scope" services (www.greenfly.com).

Don't fill out any forms on our "www.greenfly.com" web site requesting a login to Greenfly. These requests will not be granted.

Don’t cause harm to Greenfly, its customers, shareholders, partners or employees.

Don’t engage in any act that may cause an outage or stop any of Greenfly’s services. Any testing that has a negative impact on the availability of our products and services can result in being blocked or banned.

Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.

Don’t store, share, compromise or destroy any Greenfly data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Greenfly.

Don't discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Greenfly.

Out of Scope Vulnerabilities

The following types of vulnerabilities are out of scope for this program:

Phishing and social engineering attacks

Issues on www.greenfly.com (our marketing web site)

Missing best practices in SSL/TLS configuration

Missing best practices in email configuration (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Missing best practices in Content Security Policy

Missing HttpOnly or Secure flags on cookies

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Rate limiting or brute-force issues (e.g. repeatedly requesting password resets)

Copy/pasting tool output (ex: WPScan results, SSL Labs links) as a report

Open redirect - unless an additional security impact can be demonstrated

Mobile Apps - Class, method name, or API token leak as a result of disassembly