studentdoctor.net Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

- This Program is limited to exploitable security vulnerabilities and common vulnerabilities and exposures (CVE) found in our products, services, and websites. CVE issues with browsers, WordPress, Xenforo, or other common software packages are not eligible. Those errors should be reported to their respective programmers or copyright holders.

- Please do not test Xenforo or WordPress on our site. We license these commercial products. Instead, please contact WordPress or XenForo if you would like to provide CVE reports for their software.

- Please do not cause slowdowns of our site! No heavy load or DDoS testing.

- Absolutely no data loss or damage.

- Errors should be reported through openbugbounty.

- We are a small not-for-profit organization and can only afford to pay up to $10US per major CVE.

Testing Requirements:

- When submitting reports to us, we ask that you combine reports if the same or similar root cause affects multiple endpoints, subdomains, or assets.

- In researching a vulnerability, please do not cause harm to us (HPSA and/or SDN) or our users, attempt to access our offices, data centers, user accounts other than your own, test for spam, phishing, social engineering, or denial of service issues, violate any applicable law, disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.

- For the quickest handling of any vulnerability submissions, please ensure that you demonstrate the steps taken to identify or recreate the vulnerability.

- This program will not accept findings that do not demonstrate any actionable vulnerability. Examples of such non-vulnerabilities include content spoofing or text injection situations with no clear attack vector, and disclosure of information intended to be publicly accessed or otherwise does not present a real risk to our users or us.

Possible Awards:

- We offer a small bounty ($10US or less depending on severity) for newly discovered vulnerabilities and exposures.

- CVE that we have previously identified are not eligible for this bounty. Please use OpenBugBounty.org to track existing and known vulnerabilities.

- CVE issues with: browsers, Wordpress, Xenforo, or other common software packages are not eligible. Those errors should be reported to their respective programmers or copyright holders.

Special Notes:

- We aim to respond to all new vulnerability reports within 5 business days.

- To protect our users, we do not publicly disclose or confirm security vulnerabilities until we have conducted a full analysis of the reported vulnerability and issued any necessary fixes or mitigations.

- We follow common industry practices for coordinated and responsible vulnerability disclosure processes during such investigations, and we ask all vulnerability reporters to do the same. This means allowing us the opportunity to follow this process and remediate any reported vulnerabilities before you publicly disclose or share the vulnerability or methods to exploit with any third party.