Ripio HackerOne Program - Scope & Exclusions Policy (Logic-Based)

Welcome to Ripio's HackerOne Program! We're thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! Your skills, creativity, and dedication are truly valued.

Program highlights

• Fully compliant with Platform Standards
• Top Response Efficiency: This program's response efficiency is above 90%
• Includes Retesting

Average Response Times:

• Average time to first response: 1 day, 7 hours
• Average time to triage: 1 day, 15 hours
• Average time to bounty: 10 hours
• Average time from submission to bounty: 2 days, 1 hour
• Average time to resolution: 3 days, 14 hours

Rewards Summary

By Severity

By Asset

sandbox-b2b.ripio.com

• Low: $200
• Medium: $500
• High: $2,500
• Critical: $5,000

com.ripio.ios

• Low: $150
• Medium: $250
• High: $750
• Critical: $2,000

http://auth.ripio.com

• Low: $200
• Medium: $500
• High: $2,500
• Critical: $5,000

com.ripio.android

• Low: $150
• Medium: $250
• High: $750
• Critical: $2,000

All assets

• Low: $150
• Medium: $250
• High: $1,000
• Critical: $3,000

🏆 ATO Challenge (Special Bounty: $6,000)

Objective: Demonstrate a full Account Takeover by bypassing authentication mechanisms, specifically bypassing 2FA, to obtain a valid user session and perform a critical action.

• Target User: [email protected]
• Password: Sup3rs3cr3t!
• Required Proof: You must demonstrate access to Sensitive Information Disclosure, Wallet Balance, or perform a Minimal Transfer. Merely logging in is not enough if the session is restricted.
• Security Controls: 2FA is ENABLED. You must bypass it.
• Constraint: The email provider itself (@gmail.com) is Out-of-Scope. Do not attempt to compromise the Google account to read codes.
• Prohibited: Brute force attacks and Social Engineering are strictly prohibited.

✅ Qualifying Vulnerabilities (Focus Areas)

While we welcome all valid security vulnerabilities, we are specifically interested in:

📱 Mobile Specific

• Insecure Data Storage: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).
• Deep Link / Intent Hijacking: Malicious intents leading to Account Takeover or Sensitive Action execution.
• Biometric Bypass: Bypassing local authentication mechanisms.
• Hardcoded Secrets: Valid API Keys or Credentials found in the binary (must be verified).

🌐 Web & API

• Business Logic Errors: Payment manipulation, unauthorized transfers.
• Broken Access Control: IDOR, Privilege Escalation.
• Injection: SQLi, RCE.

🚫 Hard Exclusions (Auto-Close Rules)

Reports falling into these categories will be closed as N/A (Not Applicable) immediately.

Attack Vector Constraints

• Physical & Local Access: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).
• Social Engineering: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.
• Denial of Service (DoS/DDoS): Any activity that disrupts, degrades, or interrupts service availability.
• Brute Force: Repetitive automated attempts against authentication endpoints.
• Third-Party Flaws: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.

Infrastructure & Configuration

• SSL/TLS Configuration: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.
• Email Security Records: Missing or incomplete SPF, DMARC, or DKIM records.
• Information Disclosure (Low Impact):
  • Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).
  • Server banner grabbing / Version disclosure.
  • Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.
• CORS: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.
• COOP: Cross-Origin Opener Policy issues without a working PoC demonstrating sensitive data exfiltration.
• COEP: Cross-Origin Embedder Policy issues without a working PoC demonstrating sensitive data exfiltration.

⚠️ Conditional Exclusions (Proof Required)

These issues are considered N/A UNLESS the specific condition described below is met and demonstrated in the Proof of Concept.

XSS & Client-Side Attacks

• Reflected XSS:

  • Rule: Conditional Exclusion. Reports showing only alert(1) or non-sensitive DOM manipulation are N/A.
  • Exception: Valid ONLY if you demonstrate Account Takeover or Sensitive Action Execution via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.

• Self-XSS:

  • Rule: Out-of-Scope if it requires the user to paste code into the console or address bar.
  • Exception: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.

• Clickjacking:

  • Rule: Strictly Out-of-Scope on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).
  • Exception: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).

• Cookie Flags:

  • Rule: Missing Secure or HttpOnly flags are N/A.
  • Exception: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.

Mobile & Native Apps

• Obfuscation / Binary Protection:

  • Rule: Lack of obfuscation, anti-debugging, or binary protection is N/A.
  • Exception: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.

• SSL Pinning / Root Detection:

  • Rule: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is N/A.
  • Exception: Valid ONLY if the bypass allows server-side exploitation that affects other users.

• Local Data Leaks (Snapshots/Pasteboard):

  • Rule: Application snapshots or keyboard cache/pasteboard leakage are N/A.
  • Exception: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.

• Tapjacking / Overlay Attacks:

  • Rule: N/A by default.
  • Exception: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.

🧪 Test Plan & Rules

• Header: Include X-H1-traffic: in all requests.
• Accounts: Use your @wearehackerone.com alias.
• Unrelated Issues vs. Exploit Chains:
  • Do not group unrelated vulnerabilities in a single report.
  • Exception: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single "Exploit Chain".
• Safe Harbor: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.

🤐 Disclosure Policy

• Default: This program follows HackerOne's Coordinated Disclosure Policy.
• Public Disclosure: We generally agree to public disclosure after a fix has been deployed and verified.
• Mutual Agreement: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.

📝 Submission Quality Standards

To help us validate your report faster:

• Structured Steps: Use the numbered steps in the submission form. Do not write paragraphs.
• Video PoC: Highly recommended for complex UI bugs.