Welcome to Funding Societies | Modalku Group Vulnerability Disclosure Program (VDP). This policy is designed to encourage security researchers and the general public to responsibly report security vulnerabilities they may discover on our Website/Cloud/Mobile Assets. Your efforts help us maintain a safe and secure environment for our users.
Ensuring our customers' data is safe and our products and services are dependable is a top priority for Funding Societies. Therefore, we aim to design and make products and services with the highest levels of security and reliability.
This policy describes Funding Societies' approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services.
Customers, users, researchers, partners, and any other person that interacts with Funding Societies' products and services are encouraged to report identified vulnerabilities and errors by details provided on this page.
Funding Societies highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. This will contribute to improving the security and reliability of our products and services.
Responsible Reporting: When reporting potential vulnerabilities and errors in Funding Societies' products and services, adhere to certain guidelines. The first rule is that you should not exploit or utilise any discovered vulnerabilities or errors for any purpose other than reporting them to Funding Societies.
Ethical Testing: Avoid any testing or research with the intent to harm Funding Societies, its stakeholders, or partners. Ethical reporting ensures a secure environment.
Data Integrity: Maintain data integrity. Do not tamper, delete, alter, or destroy accessed data related to vulnerabilities. This upholds the integrity of the investigation.
Prohibited Activities: Prohibited activities include social engineering, spamming, phishing, denial-of-service, resource-exhaustion attacks, running automated fuzzers / tools / scripts. These actions are strictly off-limits for the testing.
Legal Compliance: Adherence to all applicable laws is mandatory. Actions leading to your report should not violate any relevant laws or regulations.
Confidentiality: Maintain confidentiality. Do not disclose information about your report, the vulnerabilities, or that you've reported them to Funding Societies. Do not disclose the vulnerability or details about it publicly.
Limited Exploitation: Only exploit the vulnerability to the extent necessary to prove its existence; do not exploit it further than necessary.
Service Integrity: Do not intentionally damage or degrade the integrity of Funding Societies' services.
No Denial-of-Service (DOS) Attacks: Do not engage in any form of Denial-of-Service (DOS) attack against Funding Societies' services.
Respect for Privacy: Don't violate the privacy of other users, destroy data, disrupt services, or engage in any harmful activities.
If you believe you have discovered a security vulnerability, please submit a report by sending an email to mailto:[email protected] with the following information: a detailed description of the vulnerability, including steps to reproduce it, any relevant screenshots, videos, or proof of concept code, and your contact information. Our security team will then investigate the report and provide you with updates on our progress. Reporting a security issue to Funding Societies implies your acceptance of the terms and conditions outlined in the Vulnerability Disclosure Policy and Rules of Engagement.
As a token of our appreciation for your responsible disclosure, we offer an acknowledgement via email. Additionally, individuals who make substantial contributions to the security of our services, such as identifying and reporting impactful vulnerabilities, will be featured in our Hall of Fame.
If you have any specific questions pertaining to the program scope and vulnerabilities, you can reach out to the Funding Societies team at mailto:[email protected]
Subdomain takeover without actual proof
Account harvesting (e.g. enumerating WordPress usernames)
Access to keys and credentials without proof that they are valid
Lack of rate-limiting on API endpoints, unless it is for brute-forcing of a pass token with insufficient entropy (e.g. 4 digit passcode without invalidation and rate-limiting)
Vulnerabilities found in rooted mobile devices
UUID enumeration of any kind.
Invite/Promo code enumeration.
Open redirects. 99% of open redirects have low-security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
Reports that state that software is out of date/vulnerable without a proof-of-concept.
Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores.
Stack traces, path disclosure, and directory listings.
Best practices concerns.
Highly speculative reports about theoretical damage -- please always provide a proof-of-concept.
Most vulnerabilities are within our sandbox or staging environments.
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
Distributed denial of service attacks (DDOS) or any activity that will cause service disruptions.
Content injection issues.
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Missing cookie flags on non-authentication cookies.
Missing HTTP security headers.
Lack of HTTPOnly and Secure cookie flags.
Issues that require physical access to a victim’s computer/device.
SSL/TLS scan reports (this means output from sites such as SSL Labs).
Banner grabbing issues (figuring out what web server we use, etc.).
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
Broken Link Hijacking.
Entering the Funding Societies offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted (social engineering etc).
+65 6221 0958
+65 6011 7534
112 Robinson Road
+603 9212 0208
+603 2202 1013
Unit 15.01 & Unit 15.02,
Level 15, Mercu 3,
KL Eco City, Jalan Bangsar,
59200 Kuala Lumpur
(+84) 28 7109 7896
The Sentry P
16 Nguyen Dang Giai Street,
Thao Dien Ward, Thu Duc City,
Ho Chi Minh City, Vietnam
Registered with Securities Commission Malaysia.
Modalku Ventures Sdn Bhd 201601019329 (1190266X)
© 2020 Modalku Ventures Sdn Bhd. All rights reserved.
Funding Societies is a SME Digital Financing Platform registered with Securities Commission Malaysia. It does not fall under the jurisdiction of Bank Negara Malaysia. Therefore, financing products of Funding Societies should not be constructed as business loan, SME loan, micro loan, term loan or any other loans offered by banks in Malaysia and it is to be deemed as an investment note as defined in the Guidelines on Recognised Markets.
Disclaimer: All third party trademarks, product and company names are the property of their respective holders.