Details

Vodafone Oman looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Vodafone Oman will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	5 days
Time to Triage	10 days
Time to Bounty	30 days
Time to Resolution	depends on severity and complexity

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Vodafone Oman.
Follow Vodafone Oman disclosure guidelines.

Program Rules

Do submit your reports in English
Do exercise caution and restraint with regard to personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Vodafone property or spamming or otherwise causing a nuisance to other users.
Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
Do not abuse the vulnerability by causing disruption through your actions.
Do not share information about the vulnerability with others until it has been resolved.
Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Test Plan

Please set a custom header or user agent on every single request that you send. This will help Vodafone team identify that the activity is coming from a hacker on the program and ensure that your testing is not blocked or interrupted.
Please append your user agent header value with “h1.replace-with-your-hackerone-username”

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user’s device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing
Open redirect – unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Static resources / public information “exposed”
Leaked credentials.
Cache poisoning
Physical attacks towards any Vodafone property
CORS Vulnerabilities (cross-origin resource sharing)
Identical vulnerability but on a different asset (code-base is shared between multiple subdomains)
Vulnerabilities affecting end users such as Reflected XSS

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Thank you for helping keep Vodafone Oman and our users safe!

If you have any questions please reach out to security(at)vodafone(dot)om

Type of Response

SLA in business days

First Response

5 days

Time to Triage

10 days

Time to Bounty

30 days

Time to Resolution

depends on severity and complexity

Program Rules

Do submit your reports in English

Do exercise caution and restraint with regard to personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Vodafone property or spamming or otherwise causing a nuisance to other users.

Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.

Do not abuse the vulnerability by causing disruption through your actions.

Do not share information about the vulnerability with others until it has been resolved.

Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Test Plan

Please set a custom header or user agent on every single request that you send. This will help Vodafone team identify that the activity is coming from a hacker on the program and ensure that your testing is not blocked or interrupted.

Please append your user agent header value with “h1.replace-with-your-hackerone-username”

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user’s device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Rate limiting or brute force issues on non-authentication endpoints

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Tabnabbing

Open redirect – unless an additional security impact can be demonstrated

Issues that require unlikely user interaction

Static resources / public information “exposed”

Leaked credentials.

Cache poisoning

Physical attacks towards any Vodafone property

CORS Vulnerabilities (cross-origin resource sharing)

Identical vulnerability but on a different asset (code-base is shared between multiple subdomains)

Vulnerabilities affecting end users such as Reflected XSS