Details

Openfolio Bug Bounty Program

Responsible Disclosure

Responsible disclosure includes:

Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
Do not access or modify data that does not belong to you
Do not make any information public until the issue has been resolved

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Eligibility

Openfolio reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

XSS
CSRF
Authentication bypass or privilege escalation
Click jacking
Remote code execution
Obtaining user information

In general, the following would not meet the threshold for severity:

Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
Denial of service
Spamming
Previously reported bugs

If you are testing the comment feature, please delete any comments that are not an example of a vulnerability.

Automated Scanning

If you employ automated scanning tools, their requests must be rate limited to not exceed 2 requests per second without prior approval. Failure to do so may be considered a DoS attack and will result in disqualification from the program.

Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please submit an issue only if you have a proof-of-concept (see Scope Exclusions, above)

Attributes of a good report

Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.
Quality not quantity. Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary.
Provide us with a concrete attack scenario. How will this impact Openfolio or our users?

Thank you for helping keep our community safe

Responsible Disclosure

Responsible disclosure includes:

Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services

Do not access or modify data that does not belong to you

Do not make any information public until the issue has been resolved

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Eligibility

Openfolio reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

XSS

CSRF

Authentication bypass or privilege escalation

Click jacking

Remote code execution

Obtaining user information

In general, the following would not meet the threshold for severity:

Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website

Denial of service

Spamming

Previously reported bugs

If you are testing the comment feature, please delete any comments that are not an example of a vulnerability.

Automated Scanning

Attributes of a good report

Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.

Quality not quantity. Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary.

Provide us with a concrete attack scenario. How will this impact Openfolio or our users?

Thank you for helping keep our community safe