We would like to foster a culture of collaboration to achieve better security and make the internet a better place. If you believe that you have found a security issue in our product or service, that can adversely impact InMobi Group's digital assets or have a suggestion to improve our security, please do contact our security team at firstname.lastname@example.org. Our security team will get in touch and will work with you to understand your research, quantify as per CVSS 3.0 and recognise as per our awards program.
- A detailed description of the issue
- Steps to reproduce the issue and demonstrate exploitability
- Any additional references
- Comply in spirit of responsible disclosure guidelines (see below)
- Collaborative spirit
- No malicious activities (**)
- Prompt acknowledgment of the report (within 2 business days)
- Transparency throughout the process
- An environment conducive to collaboration
- Recognition as per InMobi's Bug Bounty program
Rewards are proportional to the severity of vulnerability, asset value & overall impact. This evaluation is done by InMobi's security team with keeping CVSS 3.0 as a benchmark while doing overall quantification. There could be instances where cash rewards may vary for same type of vulnerability which could be due to differing asset values & overall impact. In exceptional cases, where vulnerability is unique & complex; security researcher may be paid more than the Rewards Grid (mentioned below). InMobi reserves the discretion of rewards program and reserves right to change it without any public notice.
Vulnerabilities in scope of bug bounty program are as follows:
- Remote Code Execution (RCE) - able to execute arbitrary commands on a remote device
- SQL Injection - able to read Personally Identifiable Information (PII) or other sensitive data / full read/write access to a database
- Server-Side Request Forgery (SSRF) - able to pivot to internal application and/or access credentials (not blind)
- Information Disclosure - mass PII leaks including data such as names, phone numbers and addresses
- LFI/RFI- Local File Inclusion/Remote File Inclusion
- Stored Cross-Site Scripting (XSS) - stored XSS with access to non HttpOnly cookies
- Information Disclosure - leaked credentials (pertaining to InMobi Group digital assets)
- Subdomain Takeover - on a domain that sees heavy traffic or would be a convincing candidate for a phishing attack
- Cross-Site Request Forgery (CSRF) - leading to account takeover
- Account Takeover (ATO) - with no or minimal user interaction
- Insecure Direct Object Reference (IDOR) - read or write access to sensitive data or important fields that you do not have permission to
- SQL Injection - able to perform queries with a limited access user
- IDOR - write access to modify objects that you do not have permission to
- CSRF - able to modify important information (authenticated)
- ATO - required user interaction
- XSS - reflected/DOM XSS with access to cookies
- XXE- XML entity attack
- Directory listings
- Session management flaws
- XSS - POST based XSS (with CSRF bypass)
- Lack of HTTPS on dynamic pages (judged on a case-by-case basis)
- Server information page (no credentials)
- Subdomain Takeover - on an unused subdomain
Category as per CVSS 3.0
Certificate of appreciation
Hall of fame
Out of scope vulnerabilities:
Below category of vulnerabilities which are considered are excluded from the rewards.
- IDOR references for objects that you have permission to
- Duplicate submissions that are being remediated
- Blind SSRF
- Known issues
- Rate limiting (Unless which impacts severe threat to data, business loss)
- Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
- Open redirects
- Clickjacking and issues only exploitable through clickjacking
- Only session cookies needed http and secure flags. Apart from these, for other cookies we won't consider as vulnerability
- Vulnerabilities which are exploitable only via MITM attack
- Patches released within the last 30 days. Version discloser is not considered as a Vulnerability.
- Networking issues or industry standards.
- Password complexity.
- Email related: SPF or DMARC records, Gmail "+" and "." acceptance, Email bombs, Unsubscribing from marketing emails.
- Information Leakage: Descriptive error messages (e.g. Stack Traces, application or server errors), HTTP 404 codes/pages or other HTTP non-200 codes/pages, Fingerprinting / banner disclosure on common/public services, Disclosure of known public files or directories, (e.g. robots.txt), Cacheable SSL pages.
- CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Weak CSRF in the APIs.
- Forgot Password page brute force and account lockout not enforced.
- Lack of Captcha.
- Sessions not expiring after email change.
- Presence of application or web browser "autocomplete" or "save password" functionality.
- Session Timeouts.
At InMobi we believe that with great knowledge comes great responsibility. We expect that you will let us know as soon as possible upon discovery of a potential security issue, give us reasonable lead time to respond to your report before making any information public and that you will make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. You will only interact with accounts you own or with the explicit permission of the account holder. We will reciprocate the gesture by working with you to mitigate the issue to the satisfaction of both parties. We would prefer that interested researchers coordinate their efforts with our security team so that we can avoid any untoward incidents that could affect confidentiality, integrity or availability of InMobi Group's digital assets.
We classify malicious activities as follows
- Performing actions that may negatively affect interests of InMobi Group and/or its users (e.g. Spam, Brute Force, Denial of Service)
- Social engineering (including phishing) of InMobi staff or contractors
- Conducting any kind of physical or electronic attack on InMobi personnel, property or data centres
- Automated scanning
- Deliberate attempts to harm InMobi Group digital assets
- Introduction of backdoors/trojans/malware in InMobi Group digital assets
- Attempts to breach/copy/store/use/share/sell confidential data
All attempts to cause harm to InMobi Group digital assets and data and that do not follow responsible disclosure will be pursued legally to the full extent permitted by law.