ISOP app is an educational app which wants to replace the old classroom culture with Virtual
classroom making it more interactive and fun. Letting students earn money while studying. ISOP
is more concerned with keeping their user’s data secure thus we look forward to working with
security researchers to find security vulnerabilities in the ISOP app.
- Bounty amount will be based on its severity, scope and exploit level.
- Please provide us with a detailed report with all possible reproducible steps. If the report
is not detailed enough to reproduce the issue, we may not entertain the report.
- Submit only one vulnerability per report, unless it is linked.
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report
and bounty will be paid as one vulnerability.
- Phishing, vishing, smishing kind of Social engineering is prohibited.
- Please always work with a test account and it shouldn’t impact our users. We have
various subscription plans but normal users are free of cost.
- If you want your user to be changed to another subscription for testing purposes you can
request at “firstname.lastname@example.org”.
- DOS testing is completely prohibited.
- We are more concerned with our user’s personal details thus scope of hunt can be in our
frontend App or backend servers.
Android Play Store
Apple App Store
Application Programming Interface (API)
Out of Scope Vulnerabilities
Please consider the impact of the bug which is more critical one. The following issues are
considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without
being able * to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records,
- Software version disclosure / Banner identification issues / Descriptive error messages
or headers (e.g. stack traces, application or server errors).
- Open redirect - unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction.
- Absence of certificate pinning
- Lack of obfuscation.
If you believe that you have discovered a vulnerability please report them to our provided email with all detail poc. And as soon as you submit your report you are bound by our disclosure policy which means you are not allowed to share/release any information about the found vulnerabilities to the public. When the bug is fixed with mutual agreed information, security researchers are allowed to share the information.