Hotmart Vulnerability Disclosure Program

Introduction

Hotmart is a leading platform that provides creators with everything they need to succeed in the creator economy. From easy-to-use tools for building products to affiliate marketing, a secure payment system, and a powerful members area.

As a technology-driven company, we are concerned with keeping our applications secure, as they are what help thousands of people live their passions.

Program Highlights

• Closed Scope: Only accepts reports based on the listed scope.
• Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
• Coordinated Vulnerability Disclosure: Standard disclosure practices.
• Top Response Efficiency: This program's response efficiency is above 90%.

Response Targets

Hotmart will make a best effort to meet the following response targets for hackers participating in our program. If any additional information is required from you, please allow for another 5 days for our team to review and respond. Our security team often needs to validate internally with our development team. In those cases, your patience will be much appreciated.

We'll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.
• Disclosure is strictly prohibited.

Program Rules

• The *.buildstaging.com environment is available only from Monday to Friday. Do not perform tests in a production environment.
• Only test against assets that are explicitly defined in the scope.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible.
• Please use markdown to send commands and HTTP request/response examples.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only accept the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be accepted the first one.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Although HackerOne has Detailed Platform Standards, the final severity of the vulnerability will be determined by the Hotmart team, considering internal criteria that may result in a different severity.

Subdomain Takeover

Researchers must provide a proof of concept (PoC) demonstrating that the takeover was performed by them (e.g., by creating a PoC that includes their nickname). Takeovers conducted by third parties will be accepted as Informative.

Cross Site Scripting (XSS)

If you found a XSS, please inform in your report:

• Who is the attacker and the victim of the XSS context? Ex.: Does a customer without privileges affect an admin user through this XSS vulnerability?
• Does the attacker is able to obtain the victim's session cookie through this XSS vulnerability? If this is not possible, considering the application context, what is the worst thing an attacker could do through this vulnerability?
• Does the attacker need to encode the XSS payload to bypass some sanitization controls?

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

Big Reward

Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports may apply for entry into our prestigious Hotmart private program.

As a member of the Hotmart private program, you'll unlock:

• Access to various platform features.
• Opportunity to participate in special bug bounty campaigns.
• Higher bounty payouts and more!

About Us

Hotmart is a platform for the distribution of digital products, offering services to host a product, help boosting sales and payment processing. Hotmart has three different profiles that can be found within the platform: Producers, Affiliates and customers.

• Producers are people or companies who publish some kind of digital content to be sold online. This includes courses, e-books or any other form of digital product.
• Collaborators are profiles with permissions to perform certain tasks for the Producers, and help manage their sales and customers. For each collaborator profile, Producers can define specific permissions and add collaborators to each of them.
• Affiliates are people or companies who participate in an Affiliate Program and wish to earn commissions to recommend or promote other people's or companies' products.
• Customers are the consumers who buy or access digital products through Hotmart's platform.

Test Plan

• STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage while testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
• Please use your hacker email alias when testing ([email protected])
• Only interact with accounts you own or with the explicit permission of the account holder.
• Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.
• Do not upload shells or create a backdoor of any kind.
• No Data deletion / alter is allowed
• Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.
• Register an account at: https://sso.buildstaging.com/signup

Test Card Information 1

• Card Banner: VISA
• Card number: 4111 1111 1111 1111
• Name on Card: Any name
• Expiration: 03/30
• CVV: 737

Test Card Information 2

• Card Banner: MASTERCARD
• Card number: 5555 4444 3333 1111
• Name on Card: Any name
• Expiration: 03/30
• CVV: 737

Generating a Brazilian CPF (document ID)

If you see some CPF field to fill, you can use a fake CPF generated by a CPF generator, such as the ones available online.

This fake CPF is just for testing purposes.

Out of Scope Vulnerabilities

• Any activity that could lead to the disruption of our service (DoS or DDoS).
• Clickjacking
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or other 'load testing' types of issues
• Brute force of promo code
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC/TXT records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Internal IP exposure, unless you can do something impressive with it
• Leaking information via the Referer header
• Password or account recovery policies, such as reset link expiration or password complexity
• Account/email Enumeration
• Fixed Session
• Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.
• Content spoofing, XSS or HTML injection in places where intentionally accepting HTML or via Third-party Subdomain.
• Any GraphQL vulnerabilities with DoS impact
• 0-day and other CVE vulnerabilities reported 30 days after initial publication (CVE List Status of Published).

Nginx Misconfiguration Issues

The following Nginx-related security issues are considered out of scope for this bug bounty program:

Common Nginx Configuration Issues:

• Missing security headers (X-Frame-Options, X-Content-Type-Options, etc.)

Nginx Proxy Configuration:

• Proxy bypass attempts through header manipulation
• X-Forwarded-For spoofing

Server Block Configuration:

• Default error pages exposed

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Hotmart and our users safe!