Device Authority believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts and tenants you own or with explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Device Authority staff or contractors
- Any physical attempts against Device Authority property or data centres
Bulk automated scan tools, especially against the marketing site (www.deviceauthority.com)
While we encourage any submission affecting the security of an Device Authority property, unless evidence is provided demonstrating exploitability, the following examples are excluded from scope:
- Content spoofing / text injection
- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
- Logout and other instances of low-severity Cross-Site Request Forgery
- Cross-site tracing (XST)
- Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)
- Missing security headers which do not lead directly to a vulnerability
- Missing cookie flags on non-sensitive cookies
- Missing best practices (we require evidence of a security vulnerability)
- Password and account recovery policies, such as reset link expiration or password complexity
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms
- SSL/TLS best practices
- Phishing risk via unicode/punycode or RTLO issues.
- Our policies on presence/absence of SPF/DMARC records.
- Password, email and account policies, such as email id verification, reset link expiration, password complexity.
- Clickjacking/UI redressing with no practical security impact
- Username / email enumeration via Login Page or Forgot Password Page error messages
- Vulnerability reports with video only PoCs.
- Reports that state that software is out of date or vulnerable without a proof of concept.
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
- Attacks requiring MITM.
Device Authority will investigate legitimate reports and make every effort to quickly resolve any vulnerability. Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services. Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you.
Device Authority will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope of this program.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
Service-level agreement (Performance expectations)
Device Authority will make a best effort to meet the following expectations for hackers participating in this program:
Time to first response: 2 business days or less.
Time to triage: 3 business days or less.
Device Authority is not currently offering financial rewards. Please note that this section may change in the future.
Thank you for helping keep Device Authority and our users safe!
The Fine Print
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Device Authority employees and their family members are not eligible for bounties.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Device Authority reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.