Responsible Disclosure Policy
Responsible Disclosure Policy for SEON
At SEON, the security of our applications, services, and platforms is of utmost importance. We value the assistance of security researchers and analysts in identifying and reporting potential vulnerabilities in a responsible manner. When vulnerabilities are disclosed to us in good faith, we commit to validating and resolving them in line with our policies, while reserving our legal rights in the event of non-compliance with applicable laws and regulations.
By participating in SEON’s Vulnerability Disclosure Program, all individuals agree to comply with the terms and conditions outlined in this Responsible Disclosure Policy.
Authorization and Legal Protection
If you make a good-faith effort to comply with this policy during your security research:
- Your actions will be considered authorized.
- SEON will collaborate with you to understand and resolve the issue promptly.
- SEON will not pursue legal action related to your research.
- If a third party initiates legal action against you for activities conducted in line with this policy, SEON will make this authorization known.
Reporting a Vulnerability
For Customers:
Please contact [email protected] to report any vulnerabilities.
For Independent Researchers/Analysts:
Submit your findings through our Vulnerability Disclosure Program (VDP) form (by clicking the ‘Submit your Findings’ button at the end of this Policy) with the following details:
- A clear and detailed description of the issue and its location (include screenshots, if applicable).
- Steps required to reproduce the issue.
Examples of Valid Vulnerabilities
The following are examples of valid vulnerabilities under this policy:
- Authentication flaws
- Circumvention of platform or privacy permissions
- Privilege escalations
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- Injection attacks (SQL, XML, JSON, etc.)
- Business logic bypasses
- Arbitrary redirects
- Remote Code Execution (RCE)
General Rules
- VdP program’s scope consists of the SEON Website, SEON Admin Panel, Authentication Service and the SEON API endpoints (see docs.seon.io for API reference)
- If you found anything suspicious please don’t proceed with the test in the production environment, submit your report on our VdP form and ask our bug bounty/VdP platform provider for access to our private bug bounty program and use the dedicated environment for testing
- Avoid privacy violations, destruction, deletion, modification or removal of data, and any action that could cause an interruption or degradation of SEON’s services.
- Only interact with accounts you own.
- Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.
- Rewards or recognition will not be awarded if our security team cannot reproduce and verify a finding.
- You must be the first person to report a valid Finding (‘duplicate’ reports will not be rewarded).
- SEON requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially “Contact Us” forms.
- If you find the same vulnerability several times, please report only one Finding. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- You must not be a former or current employee/contractor of SEON or one of its subcontractors.
Assumptions and Limitations
Strictly Prohibited:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
- Non-technical attacks such as social engineering, phishing, vishing, smishing
- Physical security attacks
- Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)
Out of Scope Issues:
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Design flaws and best practices that do not lead to security vulnerabilities
- Weak/expired SSL configurations
- Vulnerabilities affecting users of outdated browsers
- Missing security best practices and controls (e.g., lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
- Self XSS
- Software version disclosure
- Lack of strong password policy
- Internal IP disclosure
- Rate-limiting issues
- Lack of captchas or other spam-preventing mechanisms
- Content spoofing and text injection issues
- User enumeration
- Open redirects
- Clickjacking on pages with no sensitive actions
- DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
- Absence of SPF / DKIM / DMARC records
- Mixed content warnings
Key Points to Keep in Mind
- Do not degrade the performance of SEON’s systems during your research.
- If your actions result in intrusive testing or attacks on our systems, SEON reserves the right to report such activities to law enforcement.
- Ensure that vulnerabilities are disclosed to SEON privately We request that you refrain from disclosing any information regarding identified vulnerabilities until we have resolved/fixed such vulnerability. If you believe it is necessary to inform others of the vulnerability before we have implemented a resolution/fix, we require that you coordinate any disclosure with us in advance. You are not to share or disclose any findings or related information without prior approval from SEON.
Recognition for Valid Reports
If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, SEON will:
- Acknowledge receipt of your report.
- Collaborate with you to understand and validate the issue.
- Address the vulnerability in a timely and appropriate manner.
- Work with you to enhance the security of our systems and prevent cybercrime.
Submissions will be reviewed to confirm validity and ensure they have not been previously reported. Any public disclosure of identified vulnerabilities without explicit written consent from SEON will be considered non-compliant with this Policy.
Rewards
SEON may offer recognition and rewards to Bounty Hunters who responsibly and ethically report security vulnerabilities in accordance with this Policy. The reward amount, if granted, will be determined at SEON’s discretion, taking into account factors such as the vulnerability’s severity, potential impact, and the thoroughness of the report.
Please be aware that all rewards are distributed via our private program on Hackrate (hckrt.com).
Non-Disclosure and Confidentiality
Bounty Hunters must respect the confidentiality and privacy of any information or data accessed during their security research. Any confidential or proprietary information obtained in the course of your research must not be disclosed, shared, or used for any purpose without SEON’s prior explicit permission. This includes, but is not limited to, system data, security flaws, system architecture, customer information and intellectual property. Unauthorized disclosure or misuse of such information is strictly prohibited and may result in legal consequences and could disqualify you from participating in future research or bounty programs.
Compliance with applicable laws
Bounty Hunters are responsible for ensuring that their security research adheres to all applicable local, national, and international laws and regulations. SEON cannot provide legal support or protection for any activities that are unlawful or outside the scope of this Policy.
Acknowledgement
By participating in SEON’s Vulnerability Disclosure Program, you confirm that you have read, understood, and agree to adhere to the terms and conditions set forth in this Policy.
Thank you for your contribution toward enhancing SEON’s security posture!
Submit Your Findings
We appreciate your assistance in keeping SEON secure and look forward to collaborating with you to protect our customers and systems.