BUG REPORT
Last modified May 18th, 2022
Responsible Disclosure
We are dedicated to maintaining the security and privacy of the Somera services and customer data. We welcome security researchers from the community who want to help us improve our products and services.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
If you discover a security vulnerability, please give us the chance to fix it by emailing us at security@somera.com.tr and please provide detailed reports with reproducible steps. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Thank you for your work and interest in making the community safer and more secure!
Rules
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
You must comply with these rules when discovering the vulnerability and submitting the vulnerability report.
All user data gathered in the attack phase has to be anonymised in report and deleted from your laptop etc.
Somera is not legally obliged to pay you any bounty.
We will ban you if you do any of the below.
NEVER attempt to gain access to another user's account or data.
NEVER attempt to degrade the services.
NEVER impact other users with your testing.
Do not use fuzzers, scanners, or other automated tools to find vulnerabilities.
Huge scans using automated tools are strictly prohibited. If your tests have a negative impact on an element of our platform, we can take action to block your IP address without further notice. If you still do prohibited actions on our platform, we will ban you. In some cases we might take legal action on you.
Out-of-Scope Issues
The following types of reports/attacks are out of scope. Do not attempt them:
DOS attacks
Brute force attacks
Physical vulnerabilities
Social engineering attacks, including but not limited to:
phishing
email auth (SPF, DKIM, etc.)
hyperlink injection in emails
CSRF on forms that are available to anonymous users (e.g., signup, login, contact, Intercom)
Self-XSS and issues exploitable only through self-XSS
Clickjacking and issues only exploitable through clickjacking
Functional, UI and UX bugs and spelling mistakes
Descriptive error messages (e.g. stack traces, application or server errors)
HTTP 404 codes/pages or other HTTP error codes/pages
Banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Presence of application or web browser "autocomplete" or "save password" permission
User enumeration on login
Absence of rate limits
What is forbidden
Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit authorization from Somera
Disclosing the contents of any submission without explicit authorization from Somera
Accessing private information of any person stored on a product of Somera or service – you must use test accounts
Accessing sensitive information (e.g. credentials)
Performing actions that may negatively affect Somera or its customers (e.g. Spam, Brute force, Denial of Service) if you see that your test impact on Somera you must stop them and inform us about that
Conducting any kind of physical attack on Somera's personnel, property or data centers
Social engineering (e.g. phishing, vishing, smishing) any Somera's help desk, employee or contractor or user
Conduct vulnerability testing of participating services using anything other than test accounts
Exfiltrating data. Please test only the minimum necessary to validate a vulnerability
Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities.