Bug Bounty Program

Effective Date: October 18, 2021

Finblox recognizes the importance and value of security researchers’ efforts in helping to keep our services safe. We encourage responsible disclosure of vulnerabilities via our public bug bounty program (“Bug Bounty Program”) described on this page.

The Bug Bounty Program scope covers all software vulnerabilities in services provided by Finblox.

Please review our Bug Bounty Program terms before submitting a report. By submitting a report, you agree to the terms herein. A valid report should clearly demonstrate a software vulnerability that harms Finblox systems or customers. A report must be valid, in scope report in order to qualify for a bounty. Finblox will determine in its sole discretion whether a report is eligible for a reward and the amount of the award. ​

PROGRAM POLICIES

Finblox will not initiate legal action for security research conducted in accordance with this document even with accidental violations made with good faith. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).

If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Finblox cannot and does not authorize security research in the name of other entities. However, Finblox reserves the right to forward details of any issues discovered in relation to a third party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.

Please receive permission from our Security team (email us at [email protected]) before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.

RESEARCHER REQUIREMENTS

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

1. Providing Finblox a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
2. Making a good faith effort to preserve the confidentiality and integrity of any Finblox customer data.
3. Not defrauding Finblox customers or Finblox itself in the process of participating in the Bug Bounty Program.
4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Finblox.
5. Reporting vulnerabilities with no conditions, demands, or ransom threats.
6. Any and all data or information obtained from any actions associated with the vulnerabilities are to be submitted to Finblox and are to be destroyed at least one day after receipt of reward.
7. No personal information inadvertently obtained is to be saved, copied, stored, transferred, or otherwise retained.
8. Avoid modifying, destroying, interrupting, or accessing data that does not belong to you or at the degradation of our services.

Finblox considers Social Engineering attacks against Finblox employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Finblox employees will be banned from the Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

DOMAINS IN SCOPE

• api.finbloxapp.com
• app.finblox.com
• www.finbloxapp.com
• app.finblox.com
• www.finblox.com

Any domain not listed is out of scope. If you have identified a security vulnerability on a target that is not in scope but demonstrates a connection with Finblox, you may report it, however, depending on the severity of the discovered vulnerability, it may or may not be eligible for rewards.

EXCLUSIONS

• Theoretical vulnerabilities without actual proof of concept
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Internally known issues, duplicate issues, or issues that have already been made public
• Tab-nabbing
• Self-XSS
• Vulnerabilities are only exploitable in old browsers or platforms (e.g. old version of browser which differs from the last stable version or outdated OS which do not receive security updates anymore)
• Lack of security flags in cookies outside of *.finbloxapp.com domain
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact
• CSP Headers, X-Frame-Options, Content sniffing, HPKP, etc.
• Content or text injection issues that are mitigated by CSP Headers or any other mitigations.
• If you submit a report about a missing/incomplete header, please be absolutely sure you are correct that there is a legitimate problem.
• If you believe that one of the above is affecting a major browser in a negative way, come prepared with a working proof of concept. Reports without a proof of concept will be denied.
• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to a user’s device
• Issues that have no security impact (E.g. Failure to load a web page)
• Assets that do not belong to Finblox
• Phishing (E.g. HTTP Basic Authentication Phishing)
• Any activity (like DoS/DDoS) that disrupts our services
• Installation Path Permissions
• Attacks requiring MITM or physical access to a user’s device.
• Missing best practices without a working Proof of Concept.

REPORTING THE VULNERABILITIES

All vulnerabilities should be reported at [email protected]. In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Finblox that harms Finblox or our customers. Finblox may reject any submission that does not meet the criteria set forth in these terms or is deemed ineligible at our sole discretion. Reports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. Along with your detailed report, please be sure to include the following:

• The product and version affected
• A detailed description of vulnerabilities
• Information of known exploits​

Preferably include the CVSS v3.1 Score calculation. This will help us to assign the right priority to your report and speed up the process in general. One of the tools that can be used for the calculation: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

REPORTS EVALUATION AND REWARD

Finblox awards bounties based on CVSS v3.1 Overall Score of the vulnerability. In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Finblox provides the below table which is based on the historical payouts:

CVSS v3.1 Overall Score

The payouts listed above are minimum bounties per Category. Bonuses in excess of the vulnerability category minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports which is determined by our sole discretion.

Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.

Bounty Reward arrangements under this program, including but not limited to the bounty amount, a form of payments, and timing, are at Finblox’s sole discretion and will be made on a case-by-case basis.

Any participants involved in the Bug Bounty Program are responsible for any liability associated with taxation with Bounty award payments. Finblox makes no representation in regards to the tax consequences of said payments under any circumstances in this program.

HOW YOU CAN CONTACT US ABOUT BUG BOUNTY QUESTIONS
If you have questions or concerns regarding this program, you may contact us on our support page or by contacting our Security Officer at [email protected].