Sunny Valley Networks Vulnerability Reward Program (SVN-VRP) Rules!
At Sunny Valley Networks, we take our users’ security very seriously. We build our software and infrastructure with this goal in mind. That’s why we decided to welcome help from the outside through our vulnerability reward program to put our security to the test!Your participation in our Vulnerability Reward Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Rules”).
Services in Scope
Below Sunny Valley Networks and subsidiary web services that handle sensitive user data are anticipated to be in scope:
The program is likely to cover any design or implementation issue that has a significant impact on the confidentiality or integrity of user data. Here are a few examples:
Cross-site request forgery,
Authentication or authorization flaws,
Server-side code execution bugs.
Important exclusions to keep in mind
The following vulnerabilities are not eligible for bounty.
Network-level Denial of Service attacks
Application Denial of Service by locking user accounts
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Outdated software/library versions
OPTIONS / TRACE HTTP method enabled
CSRF on logo
CSRF on forms that are available to anonymous users
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Self-XSS and issues exploitable only through Self-XSS
Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
Attacks requiring physical access to a user's device
Attacks are dependent upon the social engineering of Sunny Valley Networks employees or vendors.
Username enumeration based on login or forgot password pages.
Enforcement policies for brute force, rate limiting, or account lockout.
SSL/TLS best practices.
SSL Attacks such as BEAST, BREACH, Renegotiation attacks.
Clickjacking, without additional details demonstrating a specific exploit.
Mail configuration issues including SPF, DKIM, DMARC settings.
Use of a known-vulnerable library without a description of an exploit specific to our implementation.
Password and account recovery policies.
Presence of autocomplete functionality in form fields.
Publicly accessible login panels.
- Note that the program's scope is limited to technical vulnerabilities in Sunny Valley Networks online applications; do not attempt to break into the company's offices, launch phishing attacks against our workers, or anything similar.
Be a good citizen by not interfering with the service. Follow the Terms of Service.
If you get access to our system, please notify us immediately
Do not attempt to carry out DoS attacks,
Do not Utilize black hat SEO strategies,
Do not spam individuals, or do anything else that would jeopardize the availability of our services to all users.
We also advise against using any vulnerability testing software that generates large amounts of traffic on its own. To detect vulnerabilities, avoid using scanners or automated programs. They're noisy, and your IP address may be blocked.
Do not disclose any information about the vulnerability until it has been addressed.
Our reward amount mechanism is flexible, with no definite upper or lower limits. This implies that extremely creative or dangerous bugs will be rewarded. The amount will only be determined by the severity of the flaw.Once the vulnerability has been patched, rewards will be given via Paypal. For executing the transaction, these services charge a fee, which is taken from the amount awarded.
Please use our dedicated form to send your report. All contributions are responded to within a few days. We'll pay your reward via Paypal once the fix is released. Please email us if you have any questions about the program.
Please bear in mind that this reward program is solely for security flaws that allow outsiders to access the data of other users, not for typical bugs in our application.