Responsible Disclosure Policy
At ANNY, we consider the security of our systems a top priority, and it is our constant endeavour to make our website a safe place for our customers to use. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge your contributions publicly.
If you happen to have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:
Please contact us immediately by sending an email to firstname.lastname@example.org with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions. Please share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem. Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible. Do not reveal the problem to others until it has been resolved. Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.
Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS) Code Executions SQL injections Server-Side Request Forgery (SSRF) Privilege Escalations Authentication Bypasses File inclusions (Local & Remote) Protection Mechanism bypasses (CSRF bypass, etc.) Leakage of sensitive data Directory Traversal Payment manipulation Administration portals without authentication mechanism Open redirects which allow stealing tokens/secrets
Don't violate the privacy of other users, destroy data, disrupt our services, etc. Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users. Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc. In case you find a severe vulnerability that allows system access, you must not proceed further. It is ANNY's decision to determine when and how bugs should be addressed and fixed. Disclosing bugs to a party other than ANNY is forbidden, all bug reports are to remain at the reporter and ANNY's discretion. Threatening of any kind will automatically disqualify you from participating in the program. Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report. Bug disclosure communications with ANNY's Security/Technology Team are to remain confidential. Researchers must destroy all artefacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed. Please Note — We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make ANNY's systems more secure.