At SuperOps, security is a top priority, and we are committed to safeguarding our customers' data with the highest standards of protection. We greatly value the contributions of independent security researchers and ethical hackers in strengthening our defenses. Our Responsible Disclosure Program is designed to encourage responsible reporting of vulnerabilities, allowing us to address potential security risks swiftly and effectively. By fostering transparency and collaboration with the security community, we aim to create a safer and more resilient platform for everyone.
As a token of appreciation for those who help enhance our security, we publicly recognize contributors by adding their names to our Security Hall of Fame.
Reporting Guidelines
Please follow the guidelines below when reporting a vulnerability:
Do not disclose the reported vulnerability to others until we have had a reasonable amount of time to address it.
Do not exploit the vulnerability you have discovered by downloading more data than necessary to demonstrate the issue or by deleting or modifying other users' data.
Make every effort to avoid privacy violations, data destruction, and service interruption or degradation. Only interact with accounts you own or those for which you have explicit permission from the account holder.
Do not perform Denial of Service (DoS) attacks, cause data corruption, trigger buffer overflows, or take any action that could impact the confidentiality, integrity, or availability of our data and systems.
Do not engage in social engineering or phishing attacks targeting customers or employees.
Submit a detailed report of your findings, including proof of concept, impact, screenshots, reproducible steps, and recommendations. Failure to provide sufficient documentation may lead to delays in the disclosure process or the report being deemed invalid.
Multiple vulnerabilities stemming from a single underlying issue will be considered one vulnerability.
Do not request compensation for time, materials, or discovered vulnerabilities through the Responsible Disclosure Program.
Our Commitment
If you adhere to these guidelines when reporting an issue,
We will not pursue or support any legal action related to your research.
We will review your report and provide feedback on the same.
We will work with you to validate and resolve the issue, including an initial confirmation within 72 hours of submission.
Program Scope
SuperOps does not accept vulnerabilities found in third-party services, unless specific mitigations from SuperOps are required to remediate the issue.
Out of Scope Vulnerabilities
Browser cache-related issues
Clickjacking issues, unless an exploit demonstrating account takeover or disclosure of sensitive resources is provided
Missing SPF/DMARC records
Open redirects without a severe impact
Open ports without an accompanying proof of concept demonstrating vulnerability
Directory listing with readable content that is already public
SSL issues such as BEAST, BREACH, renegotiation attacks, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
EXIF data not stripped from images
Presence of common public files, such as robots.txt or files in the .well-known directory
Denial of Service (DoS, DDoS) attacks
Self-type Cross-Site Scripting (Self-XSS)
CSRF on anonymous resources or any CSRF issue that does not include an exploit demonstrating control over sensitive actions
Missing best practices in SSL/TLS configuration without proof of concept or demonstrated vulnerability
Content spoofing and text injection issues without an attack vector or the ability to modify HTML/CSS
Missing HttpOnly or Secure flags on cookies not related to authentication or sessions
Domain Name System Security Extensions (DNSSEC) configuration suggestions
Previously known vulnerable libraries without a working proof of concept (PoC)
Comma-Separated Values (CSV) injection without demonstrating a vulnerability
Brute-force attacks or lack of rate-limiting mechanisms
Tabnabbing
Username/email enumeration via the login page or forgot password page error messages
Vulnerabilities affecting outdated or unpatched browsers or operating systems
Security practices such as banners revealing software versions or missing security headers
Vulnerabilities on third-party-hosted sites unless they lead to a vulnerability on the main website
Vulnerabilities contingent on physical attacks, social engineering, spamming, etc.
Bugs already known to us or previously reported by someone else (recognition is given to the first reporter)
Bugs that have not been responsibly investigated and reported
Vulnerabilities requiring Man-in-the-Middle (MitM) attacks
Issues that we cannot reasonably be expected to address
Reports from current or former employees of SuperOps
Reporting viruses
Reports generated by automated scripts or scanners
Submitting complaints about services
Fraud reports and/or suspicions of fraud from false emails or phishing attempts
Application stack traces (path disclosures, etc.); however, if the response leaks application secrets, it is considered a valid bug
For mobile devices (Android & iOS apps):
Application crashes
Lack of obfuscation
Android backup vulnerability
Absence of certificate pinning
Exploits using runtime changes
Irrelevant activities/intents exported
Snapshot, pasteboard, or clipboard data leakage
Exploits reproducible only on rooted/jailbroken devices