Responsible disclosure

Introduction

At Hellorider we take the security of our systems very seriously. However, vulnerabilities can and will remain. If you discover such a vulnerability, we would love for you to let us know as soon as possible so we can fix them.

Please note that our responsible disclosure policy is not an invitation to actively probe our services to discover vulnerabilities. These probes do generate monitoring alerts and could trigger (costly) security investigations.

What we ask from you

  • Email your findings to [email protected]. Please encrypt your findings using our PGP key if you’re sending sensitive (personal) information. You can find our key at the bottom of this page.
  • Do not take advantage of any vulnerability you discover.
  • Do not publish about the vulnerability before the vulnerability has been resolved.
  • Do not use attacks on physical security, social engineering, DDoS or spam.
  • Provide sufficient information for us to reproduce the issue. Only send what we need to locate and reproduce the issue. Try not to send (personal) information we don’t need.

What you can expect from us

  • Our team will confirm receiving your report within 48 hours.
  • We will respond within 3 business days to confirm the vulnerability and proposed solution and expected date.
  • We will never share your personal data with any third parties unless you ask us to. Anything you send us will be kept confident, except when we are obliged by law or court ruling to share the information.
  • We will keep you informed about the progress of the solution and will talk you about if, when and how we will publish the vulnerability. We will never publish anything before the issue is resolved.

What and what not to report

Send us:

  • Persistent Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Broken Authentication
  • XML Injections (XXE)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)
  • Vulnerabilities concerning Encryption with working exploit POC
  • Authentication Bypass (Unauthorised Sensitive Data Access)
  • Cross Tenant Data Leak
  • Directory Traversal
  • Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.

Don’t send us:

  • Any kind of Brute Force attacks
    • Username Dictionary Attack
    • OTP or MFA Brute Force as these mostly are serviced by third party
    • Forgot Password for Account lockout
  • Missing Rate Limiting Protection
  • Related to Cookies:
    • Missing “Secure” flag in cookie
    • Missing “HTTPOnly” flag in cookie
  • Social Engineering & Hacking
  • Self-XSS
  • Publicly accessible login pages for CMS/Administrative area
  • Denial of Service (DOS/DDOS) vulnerabilities
  • Security Headers related, such as but not limited to:
    • HTTP Strict Transport Security (HSTS)
    • Public Key Pinning (HPKP)
    • X-XSS-Protection
    • X-Content-Options
    • X-Content-Security-Policy (CSP)
    • X-Webkit-CSP
  • HTTP Header Methods:
    • HTTP Trace method is enabled
    • OPTIONS, PUT, DELETE header methods excepted; (Only with working exploit)
  • Host Header Injection
  • Clickjacking and related exploitable attack vectors
  • Fingerprinting:
    • Banner Grabbing
    • Version Disclosure of public services
  • Cross-Site Request Forgery (CSRF) on publicly available forms for anonymous user:
    • Contact Form
    • Login Form
  • Autocomplete attribute is disabled
  • SSL/TLS Vulnerabilities related to configuration without a working Exploit:
    • Version Information
    • Weak Ciphers
    • SSL Forward Secrecy not Enabled
    • SSL attacks that are not remotely exploitable
  • Related to E-mail:
    • SPF
    • DKIM
    • DMARC
  • Related to DNS and Infrastructure:
    • Expired or Inactive domains
    • Missing DNSSEC
    • Localhost DNS record
  • Disclosure of known public or non-sensitive files such as robots.txt
  • Http 404 Error pages
  • Same Site Scripting

Rewards

As we’re just a startup, we are not in a position to offer you financial rewards right now. However, we can acknowledge you on our website (on this page) and offer discounts on our services where applicable. As we currently only offer our services in the Netherlands, please respect the fact we can’t offer discounts if you’re living in another country.

Our PGP key

-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGB2t04BCAClX30/bzJAXO9iCxLm7Du5eRgDksjjJey0LFyRD7X9I/c7v5mL nyfOCBHr2SWaH4jrqHa/7oNScCgbCR9JRQ9mLb09w38XbM3YqHHgoWFpp2VZ1Erl gkmJKmqZhnzfVXpb5XhELtEgVsNYkc4P4PhGUf8qTXSn9T3LMO2d36EgezXo19lZ ZvjfBZHk8OKFIHZ79xDUM80rIO2DroHikmJm8hy7LvMiHDQ/q9V1H23LvbFkzbmG H0q5WoSjLCPfLkcNZSMj7mNlL8oyPYDPzJrYJoRXHunWgEyawz8cF2f5GPMkKshw 2FwDUOcBJ0GmtH/knjVtWsd4Jl97DCygxhTDABEBAAG0IkhlbGxvcmlkZXIgPHJl cG9ydEBoZWxsb3JpZGVyLmNvbT6JAVQEEwEIAD4WIQTCAYmxE0MKWDhvzZTT4vS5 L4PDfQUCYHa3TgIbAwUJCWdY0gULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDT 4vS5L4PDfWHPB/0Zjs5COFiBG3Wv8HPEjrtRrBp9xtbAxEFNjqnznPDNsf/K3Qho 6CMM/98/VnA1doJ6p8I+OR08SxnwU0DCrDpscLL5fkgHlzBKtDcaf0pt+CmDAHJD Pi9rbc/XJ5EI96fqTQ7rYjKHzEcVtiQqbSENNTrv72CaFV7dVENxN2jhdA8lSb79 cSEA0BTyqG9hBotopEpR65UJ+fAc3nr3k3i8SZrY78hCcokt+bYgvt7VLV1Bb98d K09LWt5orjy+aF7AbekVslapGDIgjOP7xknGeSwIyx4ht2ss9KPDCaK2thOiU3Qs uBY3Pt6yy1iGQeEAkBV8G6qdkYrrcIYZ9u8juQENBGB2t04BCADKKcNIW+eaaRiw fKU7WYO/IqdpXMdFkKON8Lqg36x6LgvfI4yK1doaGU46/ckuWI3swwrR7SGRnR8k 6itaLdaH5vECoYwpKekSZLB0871m5EktGdeWFIZguewU57MXMHM/uqMk7wOrEKiI 0vATWfkAvrg/LU+0bMLzcq7wNRbM+KBOygXFFRivt0wES8m9DOL1AUmc6SHfKcAR IOLNXzuLxDvu3KtNbNfW+nDjDGzNy6rlsvNb0ouwhKxMhW2QKMMayAzGHya2W5gY FxoAhCpnFGqnXkMN2mWgJ05GUXe9OF8Ajc2jWYQBnswKq5xwkBgCKQYOkVM0GBkM zXADgqwpABEBAAGJATwEGAEIACYWIQTCAYmxE0MKWDhvzZTT4vS5L4PDfQUCYHa3 TgIbDAUJCWdY0gAKCRDT4vS5L4PDfW8wB/413ISScTkfaojlvWD+WLv5RvO+JM0y rfihMN+orSgXYuF7vmcYzuTYb5dqvrXFa614C5cU12dMjMMDQipgm6XBnJ2hJh2W URmvsjAmXtXZL4i9QnvJJTdnKPWNfqpGs+MHExuqQeIDson9Q6roonVZBShAmrig ZuMOomQ8OnRy2a3saaNW0SpT55eXnF0HCcaGuXVgXx0GyOsZNdGoAFToyFJUorL4 b/Dbqic0zZNka1bQy9Xkkk1pDQsutk2C7Pn0YY3YMTsc93dNlm4DzLihwTS/MmdV Ht47TfZf1eJGaw8tsY2QVddOCS4z6om4hDWvosohOg7vsho34lvf7TlJ =2ZHs
-----END PGP PUBLIC KEY BLOCK-----