Angvlar Product Security
Security and privacy at Angvlar start with our values.
At Angvlar, we understand that security and privacy are essential because we are in it for the community. This means we’re committed to working with our community, including through our security program to recognize helpful hackers that work with Angvlar.
Helpful Hacker Program
Our Helpful Hacker program allows our community to report product vulnerabilities to Angvlar. We operate the program based on the following principles:
a. Reported issues will be prioritized based on impact on our community, not based on financial incentives.
b. Swift resolution based on impact on our community, aiming for less than 72 hours after the report has been made.
c. Reported issues will be disclosed by Angvlar to the community shortly after resolving the problem.
d. Responsible disclosure, meaning that you give us a fair go to resolve the issue before the vulnerability is disclosed to the community. This helps us protect the security and privacy of our community.
Reporting a vulnerability
If you believe you have found a general security vulnerability in an Angvlar product, you can use this form to report the vulnerability to us. We will confirm receiving your report and follow up with verification and the target date for full disclosure following resolution.
For security issues related to your account, you should contact our friendly Help Team.
Whilst investigating potential vulnerabilities, you must not:
a. Test against any service that Angvlar doesn’t own. This includes all third-party providers, whether or not they are hosted on an Angvlar owned/operated subdomain.
b. Disrupt the availability of any Angvlar services.
c. Attempt to gain access to another user’s data or information.
d. Impact other users with your testing.
e. Attempt non-technical attacks such as social engineering or physical attacks against employees or infrastructure.
f. Pivot your approach from one vulnerability to another to escalate your access.
g. Share sensitive information exposed during the course of finding a vulnerability.
h. Violate any laws.
If in doubt, get in touch first!
Included in scope are any products or services that reside under the following domains that are owned by Angvlar:
webcultu.re (subdomains are NOT included)
This program does not offer bounties or rewards, financial or otherwise. In recognition of our appreciation, Helpful Hackers will be added to the Angvlar Honour Roll.
While not extensive, this list provides some examples of what we classify as a security vulnerability and will award to Helpful Hackers.
a. Authentication or authorization flaws
b. Cross-site scripting
c. Cross-site request forgery
d. Server-side code execution bugs
e. Viewing another user’s personal or sensitive data
f. Remote code execution
g. SQL injection
h. Bypassing of security controls or boundaries
a. You are not the first person to identify the vulnerability. While we endeavour to promptly address and disclose security reports, multiple reports may come in for the same issue, in which case we will only award the initial reporter.
b. Vulnerabilities that Angvlar determines to be an acceptable risks.
c. Vulnerabilities requiring exceedingly unlikely user interaction or steps to exploit.
d. Phishing attacks. We do not accept phishing of users or staff as a security vulnerability that we can manage or mitigate. If you do find one, please don’t hesitate to get in touch so we can take some steps to remove it from public consumption.
e. Third-party plugins or browser-based scripts used to enhance or alter the Angvlar products. If you use a tool to alter how the Angvlar sites look or interact and discover a vulnerability with the tool, you are best to disclose the issue to the project maintainer.
f. Presence of banner or version information. On its own, we don’t consider the showing of the product version a vulnerability. However, if you find a very outdated version or think it defines a security risk, please get in touch.
g. Denial of service attacks. In the interest of service availability, we strongly discourage anyone who uses automated tools that generate significant volumes of traffic that may impact our users.
h. General security advice without an identified vulnerability report. While it’s appreciated that people reach out to our team regarding general security advice, such as not using exposed HTTP query parameters, without an attached vulnerability, we will not award the submission.
If you are ever unsure whether the vulnerability you are testing is questionable or may fall into the non-qualifying category, please contact us for guidance.
|Name||Dates of reports|
|Your Name||XX.XX.XXXX, |
|Someone else’s name||XX.XX.XXXX|