Bug Bounty Policy
Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. signageOS works with security experts across the globe to stay up-to-date with the latest security techniques. If you've discovered a security issue that you believe we should know about, we'd love to work with you. Our bug bounty program provides a monetary reward for these efforts.
The signageOS's Bug Bounty Program applies to security vulnerabilities found within signageOS's public-facing online environment. This includes, but is not limited to, signageOS's websites, exposed APIs, mobile applications, and devices. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
How to Participate
Highly skilled security researchers can participate in signageOS's Bug Bounty Program.
To submit a Bug Report, fill in this form: Bug Bounty Report Form.
signageOS reserves the right to refuse participants' requests without additional information.
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue in order to be eligible for bounty.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- signageOS's partners are not eligible for participation in this program.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others.
- Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
- Do not attempt to gain access to another user’s account or data.
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
At this time, the scope of this program is limited to security vulnerabilities found in following targets:
The following vulnerabilities are not eligible for bounty.
- Network level Denial of Service attacks
- Application Denial of Service by locking user accounts
- Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
- Disclosure of known public files or directories, (e.g. robots.txt)
- Outdated software / library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logout
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring physical access to a user's device
- Attacks dependent upon social engineering of signageOS employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force, rate limiting, or account lockout.
- SSL/TLS best practices.
- SSL attacks such as BEAST, BREACH, Renegotiation attack.
- Clickjacking, without additional details demonstrating a specific exploit.
- Mail configuration issues including SPF, DKIM, DMARC settings.
- Use of a known-vulnerable library without a description of an exploit specific to our implementation.
- Password and account recovery policies.
- Presence of autocomplete functionality in form fields.
- Publicly accessible login panels.
- Lack of email address verification during account registration or account invitation.
- Lack of email address verification password restore.
- Session control during email/password changes.
You may be eligible to receive a monetary reward if:
- You are the first person to submit a site or product vulnerability
- That vulnerability is determined to be a valid security issue by signageOS's security team
- You have complied with all Program Terms
All bounty amounts will be determined at the discretion of the "signageOS s.r.o" Bug Bounty team who will evaluate each report for severity, impact,
and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an
acceptable level of risk such that we do not make changes.
The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $5.000 USD. signageOS's Bug Bounty team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the signageOS Bug Bounty team are final.
|Type of Bug Reported||Reward Range|
|Level 0 - Informational||$ 0 - $ 0|
|Level 1 - Low||$ 50 - $ 150|
|Level 2 - Medium||$ 150 - $ 450|
|Level 3 - High||$ 500 - $ 3.000|
|Level 4 - Critical||$ 1.500 - $ 5.000|
You'll need to submit an invoice in order to receive payment. The invoice has to meet all legal requirements. Once we have that information, awarded bounty payments will be made automatically. signageOS accepts the following payment methods.
signageOS DOES NOT SEND MONEY VIA PAYPAL! THE ONLY ACCEPTABLE PAYMENT METHOD IS A BANK WIRE TRANSFER BASED ON A COMMERCIAL INVOICE.
|Method||Required Items||Wire||First and last name, address, bank name, SWIFT, IBAN number, sort code|
Submit Your Report
To submit a Bug Report use exclusively this form: Bug Bounty Report Form.
- It's important to include at least the following information in the email:
- Organization and contact name
- Products or solutions and versions affected
- Description of the potential vulnerability
- Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
- Information about known exploits
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. A well written report will allow us to more quickly and accurately triage your submission.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- A clear description of the issue, including the impact you believe it has to the user, signageOS or others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- Give us a reasonable time to correct the issue before making any information public
Terms and Conditions
There are constraints on who may participate in the signageOS Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.
- The parties to this agreement are you and "signageOS s.r.o."
- You must abide by the law.
- "signageOS s.r.o." employees, contractors, and their families are not eligible for rewards.
- By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than "signageOS s.r.o" via the our Bug Bounty Process.
- Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of "signageOS s.r.o"
- By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting "signageOS s.r.o" a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that signageOS had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of signageOS.
- The Program is focused predominantly on: Internet-facing "signageOS s.r.o" websites executing on internet domains that provide significant business value to signageOS, and are supported directly by signageOS and its suppliers; signageOS-branded mobile applications; devices; and the signageOS API Platform. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Program.
- You are responsible for notifying "signageOS s.r.o" of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
- signageOS s.r.o reserves the right to discontinue the Program at any time without notice.
- You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact signageOS or signageOS's online environment availability or performance.
Any information you receive or collect about signageOS through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the signageOS sites, without signageOS's prior written consent.
Response efficiency metrics are tracked and reported in business days - Monday to Friday from 8 AM to 5 PM CET (UTC +2:00).
|Metric||Number of Days|
|First response time||2|
For avoidance of any doubt, payment for a bounty is paid within 30 days from receiving the valid invoice.