At is*hosting, we value the efforts of the security community to help us maintain the highest security standards for our products and services. This Vulnerability Disclosure Program (VDP) invites researchers to identify vulnerabilities that can potentially compromise the integrity, availability, or confidentiality of our systems. We are committed to working with the community to resolve identified issues promptly.
Disclosure Policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
Program Rules
In connection with your participation in this Program, you agree to comply with is*hosting Terms of Use, is*hosting Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing data privacy or the lawful processing of data.
- Please provide detailed reports with reproducible steps, including screenshots, code snippets, and environment details. If the report is not detailed enough to reproduce the issue, it may not be marked as triaged.
- Submit one vulnerability per report. If chaining vulnerabilities to demonstrate impact, clearly explain the interdependencies and overall impact in a single report.
- When duplicates occur, we only triage the first received report, which can be fully reproduced.
- Multiple vulnerabilities caused by one underlying issue will be consolidated into one report and treated as a single submission.
- Social engineering attacks (e.g., phishing, vishing, smishing) are strictly prohibited and will result in disqualification.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or have explicit permission to use. Unauthorized access to any account or data is strictly prohibited.
- Use specific identifiers, which include your HackerOne "[email protected]" registered email address, to help us recognize your traffic.
- Security issues found on third-party assets not managed by us are out of scope. Ensure your target belongs to us by verifying domain registration and DNS records.
- The use of automated scanners and tools (e.g., Nessus, Burp Suite) is prohibited unless explicitly allowed.
Session Layer: HTTP Headers
Researchers should add headers to requests such as:
- “X-HackerOne-Research: [H1 username]”
Test Plan
To access our testing environments, follow these steps:
- Register on https://my.ishosting.com/ using your HackerOne email alias (ending in @wearehackerone.com).
- Once logged in with your verified email alias, go to https://my.ishosting.com/en/hackerone.
- On this page, you can request an automatic balance top-up for research purposes to activate the services you need for testing.
Important:
- Do not manipulate your email alias (e.g., adding "+something" to it), as only the original alias (e.g., [email protected]) will be accepted for balance top-up requests.
- This balance is strictly for testing within the Vulnerability Disclosure Program (VDP) scope.
Abuse of Rewards System
Balance top-ups provided for testing purposes are strictly for use within the Vulnerability Disclosure Program (VDP) scope and are subject to rigorous monitoring.
- Misuse of allocated funds for purposes unrelated to VDP will result in account suspension, balance annulment, and removal from the program.
- Violators may also be reported to HackerOne, which could impact their standing on the platform.
Single Account Policy
Participants are prohibited from creating multiple accounts to gain additional balance top-ups or other benefits.
- If duplicate accounts are identified, all related accounts will be suspended, their balances revoked, and the participant will be disqualified from the program.
- Further action, including reporting to HackerOne, will be taken as necessary.
Resources for Testing
Scope
The scope of this program includes all assets and applications related to our main platform. Researchers should ensure they test various features across different markets to get a comprehensive view. Specific environments and assets are outlined below.
The following is*hosting domains are In-Scope:
- ishosting.com
- my.ishosting.com
- api.ishosting.com
Out-of-Scope domains:
- blog.ishosting.com
- help.ishosting.com
You can also check relevant domains at https://hackerone.com/ishosting/policy_scopes.
Core Ineligible Vulnerabilities
When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. Below, you will find the most common false positives we encounter. The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact:
Safe Harbor
The Gold Standard Safe Harbor applies.
Changes to Program Terms
The Vulnerability Disclosure Program (VDP), including its policies, is subject to change or termination by is*hosting at any time without notice. Therefore, is*hosting may change these Program Terms and/or its policies at any time by posting a revised version. Your continued participation in the VDP program following the posting of such modifications constitutes your acceptance of the modified program terms.
Conclusion
Thank you for helping keep is*hosting and our users safe!
We appreciate the contributions of the security community in helping us protect our users and systems. Thank you for your efforts and adherence to this policy in making our platform more secure.
