ISOP APP

(Responsible Vulnerability Disclosure Program)

Policy

ISOP app is an educational app which wants to replace the old classroom culture with Virtual classroom making it more interactive and fun. Letting students earn money while studying. ISOP is more concerned with keeping their user’s data secure thus we look forward to working with security researchers to find security vulnerabilities in the ISOP app.

Rewards

  • Bounty amount will be based on its severity, scope and exploit level.

Program Rules

  • Please provide us with a detailed report with all possible reproducible steps. If the report is not detailed enough to reproduce the issue, we may not entertain the report.
  • Submit only one vulnerability per report, unless it is linked.
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report and bounty will be paid as one vulnerability.
  • Phishing, vishing, smishing kind of Social engineering is prohibited.

Hunting Guidance

  • Please always work with a test account and it shouldn’t impact our users. We have various subscription plans but normal users are free of cost.
  • If you want your user to be changed to another subscription for testing purposes you can request at “bounty@isopnepal.com”.
  • DOS testing is completely prohibited.
  • We are more concerned with our user’s personal details thus scope of hunt can be in our frontend App or backend servers.

Target App

Out of Scope Vulnerabilities

Please consider the impact of the bug which is more critical one. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able * to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing.
  • Open redirect - unless an additional security impact can be demonstrated.
  • Issues that require unlikely user interaction.
  • Absence of certificate pinning
  • Lack of obfuscation.

Disclosure Policy

If you believe that you have discovered a vulnerability please report them to our provided email with all detail poc. And as soon as you submit your report you are bound by our disclosure policy which means you are not allowed to share/release any information about the found vulnerabilities to the public. When the bug is fixed with mutual agreed information, security researchers are allowed to share the information.

Report Email