Anonybit places high importance on the security of its offerings. We hold the view that the responsible reporting of security issues by security researchers plays a crucial role in our commitment to maintaining high-security standards for our systems. This Responsible Disclosure Policy is designed to provide security researchers with clear guidance on how to carry out vulnerability discovery and communicate their findings to us. A foundation of trust, respect, and openness is essential for responsible disclosure, and engaging all security community participants.
Should you uncover a genuine or potential security flaw in any software or source code owned by Anonybit, we encourage you to notify us immediately. Our goal is to collaborate with you to enhance the protection of our clients and our infrastructure.
We commit to acknowledging your report of a vulnerability promptly. Should your report prove to be legitimate, we aim to keep you informed of our progress in addressing the issue.
For updates on your disclosure, don’t hesitate to reach out to us at security@anonybit.io.
Disclosure Process
Always make sure to steer clear of violating privacy, harming user experiences, disrupting operational systems, or altering or destroying data.
Limit the use of exploits solely to verify the existence of any genuine or possible security flaws. Please refrain from leveraging an exploit to access, steal, or manipulate data, establish ongoing command-line access, or use the exploit as a means to infiltrate other systems.
Avoid disclosing any security issues publicly or to third parties without our explicit written agreement. Instead, direct your reports to security@anonybit.io.
We prefer that all correspondence be conducted in English. To assist us in better understanding the nature and extent of the potential issue, please provide the following information (as much as possible):
Type of issue
- Remote Code Execution (RCE),
- Server-side request forgery (SSRF), SQL injection, cross-site scripting, etc.);
- Full paths of (source) file(s) related to the manifestation of the issue;
- When applicable, the location of the affected source code (tag/branch/commit or direct URL);
- Step-by-step instructions to reproduce the issue; Impact of the issue, including how an attacker might exploit the issue this information will help us triage your report more quickly.
Out of Scope
The following issues are considered out of scope:
Web
- Self-XSS that cannot be used to exploit other users
- Attacks requiring MITM or physical access to a user’s device
- CORS misconfiguration on non-sensitive endpoints
- Missing security headers and cookie flags
- Missing Best practices, issues related to password policy
- Automated scanner-generated reports; (e.g. Nuclei, Zap, Burpscan Report, etc.)
- Tabnabbing and Clickjacking
- Issues related to email spoofing, SPF, DMARC or DKIM
- Content Spoofing / Text injection / IDN homograph issues without showing impact.
- Missing best practices in SSL/TLS/CAA configuration
- Disclosing API keys without proven impact.
- Banner grabbing / Version disclosure / Path Disclosure
- UserId / email enumeration
- Issues related to Exif data and XMLRPC
- HTTP Request smuggling without any proven impact
- Hyperlink injection or any link injection in emails we send
- Use of a known-vulnerable library without proven impact
- Mixed content type issues
Mobile Device
- Attacks requiring physical access to the victim’s device
- The absence of certificate pinning
- API key leakage is used for insensitive activities/actions
- Lack of jailbreak & root detection
Rules of Engagement
Please DO NOT disclose the vulnerability until we have been able to correct it. See below for possible publication.
Do not exploit the vulnerability by unnecessarily copying, deleting, adapting, viewing data or downloading more data than is necessary to demonstrate the vulnerability.
Do not apply the following actions:
- Placing malware (virus, worm, Trojan horse, etc.);
- Copying, modifying, or deleting data in a system;
- Making changes to the system;
- Repeatedly accessing the system or sharing access with others;
- Using the so-called “brute force” of access to systems;
- Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
- Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
- Immediately erase all obtained/exfiltrated data as soon as it is reported.
- Do not perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
- Please do not submit a high volume of low-quality reports on security vulnerabilities.
Actions under this Responsible Disclosure Policy should only include testing for and informing Anonybit of potential vulnerabilities. Should you wish to disclose information about a vulnerability on social media or to any third party after it has been resolved, you must obtain our written consent by notifying us at least one month prior. Thus, public identification or disclosure before any third party is contingent upon our explicit written consent.
If you have questions, we urge you to reach out to the Anonybit Security Team at security@anonybit.io. Should there be any uncertainty regarding this Policy’s relevance, contact us first at the provided email to request explicit permission.
Anonybit retains the authority to modify or end this Policy at any time.
Acknowledgements
We are not offering cash rewards for any reported vulnerabilities. If your submission is valid, we can send you some Anonybit swag as a token of our appreciation.