Report Security Issues

If you discover a security flaw on intorato.us, please contact us as soon as possible. All genuine vulnerability reports will be reviewed, and we will do everything we can to fix the problem as soon as possible. Please read this document before reporting, which includes the basic concept, bounty scheme, incentive rules, and what should not be reported.

BASIC PRINCIPLES

If you comply with the principles below when reporting a security issue to intorato.us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:

1.You give us reasonable time to review and repair an issue you report before making public any information about the report or sharing such information with others.

2.You don’t interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.

3.You make a good faith effort to prevent privacy breaches and other disturbances, such as data loss and interruption or deterioration of our services (but not limited to).

4.You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

5.You do not violate any other applicable laws or regulations.

BOUNTY PROGRAM

Security researchers who help us keep people secure by disclosing vulnerabilities in our services are recognised and rewarded. The monetary rewards for such reports are solely at the discretion of intorato.us, and are determined by risk, effects, and other factors. To be eligible for a bounty, you must first fulfil the following requirements:

1.Adhere to our Basic Principle (see above).

2.Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that intorato.us ultimately determines the risk of an issue, and that many bugs are not security issues.)

3.Submit your report via our security center. Please do not contact employees.

4.If you unintentionally cause a privacy breach or disturbance when investigating a problem (such as accessing account data, service settings, or other confidential information), make sure to mention it in your report.

5.We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.

6.We reserve the right to publish reports.

REWARDS

Our incentives are determined by the severity of a weakness. We will update the software over time in response to feedback, so please let us know if there is any aspect of the programme that you think could be improved.

1.Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.

2.When duplicates occur, we award the first report that we can completely reproduce.

3.Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

4.The bounty reward is determined by a number of factors, including (but not limited to) effects, ease of exploitation, and report quality. We call attention to the bounty rewards, which are mentioned below.

5.Amounts below are the maximum we will pay per level. We aim to be fair, all reward amounts are at our discretion.

Critical severity Vulnerabilities ($200): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:

  • Remote Code Execution
  • Remote Shell/Command Execution
  • Vertical Authentication bypass
  • SQL Injection that leaks targeted data
  • Get full access to accounts

High severity Vulnerabilities ($100): Vulnerabilities that affect the security of the platform including the processes it supports. Examples:

  • Lateral authentication bypass
  • Disclosure of important information within the company
  • Stored XSS for another user
  • Local file inclusion
  • Insecure handling of authentication cookies

Medium severity Vulnerabilities ($50): Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:

  • Common logic design flaws and business process defects
  • Insecure Direct Object References

Low severity Vulnerabilities: Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger. Examples:

  • Open redirect
  • Reflective XSS
  • Low sensitivity Information leaks

24 Hours Customer Support:

Call us at: +1(434)-202-4351
E-mail: support@intorato.us