Infoarmor

InfoArmor aims to produce the most secure products in the world, in order to keep our customers and our business safe. We allow anyone in the world to responsibly disclose security issues to us directly.

We respect and appreciate your willingness to report security issues. Therefore, we strive to:

• Respond promptly to incoming reports.
• Communicate in timely fashion.
• Work with you through any issues that require cooperative interaction.
• Evaluate your reports with fairness.

#Respsonible Disclosure Rules

1. Research only what is in scope (defined below). If there are any questions, please contact us.
2. Cross-user-account attacks should only be conducted against test accounts.
3. Social engineering (e.g. phishing, vishing, smishing, etc.) is strictly prohibited.
4. Denial of Service (DoS) attacks, or performing operations which would cause DoS, is strictly prohibited.
5. Mass exfiltration of data is strictly prohibited. If such a vulnerability allowing this has been discovered, it should be reported in concept, with examples limited to test accounts.
6. All research should be non-destructive in nature. Any vulnerability discovered which could cause damage or downtime to systems should be reported in concept, without actual execution.
7. Do not attack third-party sites and services which InfoArmor employs to deliver site functionality.
8. Follow [HackerOne's disclosure guidelines and code of conduct](https://www.hackerone.com/disclosure-guidelines].
9. Follow the outlined PII terms (below).
10. Follow the outlined confidentiality terms (below).
11. Follow the outlined legal terms (below).

#Personally Identifiable Information (PII) InfoArmor takes seriously the protection of personally identifiable information (PII). Under no circumstances should user boundaries be crossed to other users' accounts, be they InfoArmor customers', employees', or any other real user accounts.

#Confidentiality Any information you receive or collect about InfoArmor or any InfoArmor user through our security program and the InfoArmor security team (“Confidential Information”) must be kept confidential and used only in connection with our security program. You may not use, disclose, or distribute any Confidential Information, including, but not limited to, any information regarding your submission and information you obtain when researching the InfoArmor sites, without InfoArmor’s prior written consent.

NOTE: We greatly appreciate receiving proof-of-concept videos. In fact, we encourage them, as it greatly helps us clearly understand reports. Please do not upload your videos to third-parties like YouTube or Vimeo. Upload them directly through our submission form. If the video is too large to upload, contact us and we will provide another means to upload.

#Legal In connection with your participation in this security program and its terms, you agree to comply with all applicable laws, including, but not limited to: federal state and local laws.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship.

InfoArmor has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of InfoArmor users and publicize this information on the open, public-facing Internet without user consent, nor has InfoArmor ever given permission for programs or data belonging to InfoArmor to be modified or corrupted in order to extract and publicly disclose data belonging to InfoArmor.

Vulnerabilities obtained by exploiting InfoArmor users or employees will result in immediate disqualification from the program and the exploiter will not be protected under any Safe Harbor policy. Failure to comply with any of the terms above will result in immediate disqualification from the program. InfoArmor reserves the right to change or modify the terms of this program at any time.

#Research Guidelines Please abide by the following guidelines in your research:

• No social engineering.
• No DoS attacks.
• No mass-exfiltration of data. Report the potential for mass-exfiltration by demonstrating it within your test accounts only.
• No destructive attacks to systems or data. If a vulnerability makes destructive actions possible, please report the potential; do not execute the attack.
• No access, exfiltration, or handling of PII. If access to PII outside of your test accounts is inadvertent, please report it immediately.
• Stay within the defined scope.
• Please strive to use the following user agent header format in your HTTP(S) requests (if possible):

H1:<HackerOne user name>:<InfoArmor user name> e.g. H1:hackerman007:iatestuser35

This helps to identify your network traffic as legitimate research, and not a potential malicious attack, which might result in being blocked.

#Scope The present scope is InfoArmor's PrivacyArmor product, a personal identity protection service which monitors users' personal identity information, credit report, and email, financial, and social media accounts.

##In-Scope Domains The following domains are in scope.

• account-api.infoarmor.com: service API supporting PrivacyArmor login.
• auth.infoarmor.com: login support.
• cdn.infoarmor.com: static content supporting the main PrivacyArmor subscriber UI.
• myportal.infoarmor.com: provides legacy support for the main PrivacyArmor subscriber UI.
• orders.infoarmor.com: provides PrivacyArmor subscriber enrollment, ultimately granting access to the main PrivacyArmor subscriber UI.
• privacyarmor.infoarmor.com: the main PrivacyArmor subscriber UI.
• privacyarmor-api.infoarmor.com: service API supporting the main PrivacyArmor subscriber UI.
• saauth.infoarmor.com: login support.
• signin-api.infoarmor.com: service API supporting PrivacyArmor login.
• socialmon-enrollments.infoarmor.com: provides enrollment for PrivacyArmor social media account monitoring. NOTE: the third-party social media sites themselves are not in scope.

More domains may be added in the future. NOTE: if during research there emerges a question about a specific domain, feel free to contact us to inquire further.

##Out-of-Scope Domains The following domains are out of scope:

• vigilanteati.infoarmor.com: site for InfoArmor's Advanced Threat Intelligence product.
• www.infoarmor.com: the InfoArmor marketing site.
• www.myprivacyarmor.com: the PrivacyArmor marketing site.
• All other unlisted InfoArmor domains and subdomains.
• All third-party domains and services.

##Out-of-Scope Vulnerabilities The following issues are considered out of scope:

• Rate limiting issues where InfoArmor already has protections in place.
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof-of-Concept (POC).
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

#Reporting Guidelines Please follow these guidelines for reporting:

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be triaged and resolved.
• Submit one vulnerability per report, unless you can chain the vulnerabilities.
• Remember, do not upload your videos to third-parties like YouTube or Vimeo. Upload them directly through HackerOne or our submission form. If the video is too large to upload, contact us and we will provide another means to upload.

#Response InfoArmor will make a best effort to respond to incoming reports within one (1) business day, triage within two (2) business days, but if a report is not detailed enough, we will respond and wait for more information from the reporter. Please allow for longer response times over weekends and holidays. We will try to keep you informed about our progress throughout the process.

#Contact Us If you need help, have questions, or want to give feedback, please feel free to contact us via email at:

[email protected]

Make sure to include your HackerOne account username so that we can follow up with HackerOne if necessary.

#Final Word InfoArmor thanks you for your research and hard work. Your contributions are an important part of the never-ending journey of securing our products. We greatly appreciate your efforts.