Vulnerability Disclosure Policy

Welcome to Funding Societies | Modalku Group Vulnerability Disclosure Program (VDP). This policy is designed to encourage security researchers and the general public to responsibly report security vulnerabilities they may discover on our Website/Cloud/Mobile Assets. Your efforts help us maintain a safe and secure environment for our users.

• Ensuring our customers' data is safe and our products and services are dependable is a top priority for Funding Societies. Therefore, we aim to design and make products and services with the highest levels of security and reliability.

• This policy describes Funding Societies' approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services.
  Customers, users, researchers, partners, and any other person that interacts with Funding Societies' products and services are encouraged to report identified vulnerabilities and errors by details provided on this page.

• Funding Societies highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. This will contribute to improving the security and reliability of our products and services.

Rules of Engagement:

1. Responsible Reporting: When reporting potential vulnerabilities and errors in Funding Societies' products and services, adhere to certain guidelines. The first rule is that you should not exploit or utilise any discovered vulnerabilities or errors for any purpose other than reporting them to Funding Societies.

2. Ethical Testing: Avoid any testing or research with the intent to harm Funding Societies, its stakeholders, or partners. Ethical reporting ensures a secure environment.

3. Data Integrity: Maintain data integrity. Do not tamper, delete, alter, or destroy accessed data related to vulnerabilities. This upholds the integrity of the investigation.

4. Prohibited Activities: Prohibited activities include social engineering, spamming, phishing, denial-of-service, resource-exhaustion attacks, running automated fuzzers / tools / scripts. These actions are strictly off-limits for the testing.

5. Legal Compliance: Adherence to all applicable laws is mandatory. Actions leading to your report should not violate any relevant laws or regulations.

6. Confidentiality: Maintain confidentiality. Do not disclose information about your report, the vulnerabilities, or that you've reported them to Funding Societies. Do not disclose the vulnerability or details about it publicly.

7. Limited Exploitation: Only exploit the vulnerability to the extent necessary to prove its existence; do not exploit it further than necessary.

8. Service Integrity: Do not intentionally damage or degrade the integrity of Funding Societies' services.

9. No Denial-of-Service (DOS) Attacks: Do not engage in any form of Denial-of-Service (DOS) attack against Funding Societies' services.

10. Respect for Privacy: Don't violate the privacy of other users, destroy data, disrupt services, or engage in any harmful activities.

Reporting Process

If you believe you have discovered a security vulnerability, please submit a report by sending an email to mailto:[email protected] with the following information: a detailed description of the vulnerability, including steps to reproduce it, any relevant screenshots, videos, or proof of concept code, and your contact information. Our security team will then investigate the report and provide you with updates on our progress. Reporting a security issue to Funding Societies implies your acceptance of the terms and conditions outlined in the Vulnerability Disclosure Policy and Rules of Engagement.

Appreciation

As a token of our appreciation for your responsible disclosure, we offer an acknowledgement via email. Additionally, individuals who make substantial contributions to the security of our services, such as identifying and reporting impactful vulnerabilities, will be featured in our Hall of Fame subjected to user consent.

Contact

If you have any specific questions pertaining to the program scope and vulnerabilities, you can reach out to the Funding Societies team at mailto:[email protected]

Hall of Fame

Year 2023

2024

Out-of-Scope:

• Subdomain takeover without actual proof

• Account harvesting (e.g. enumerating WordPress usernames)

• Access to keys and credentials without proof that they are valid

• Lack of rate-limiting on API endpoints, unless it is for brute-forcing of a pass token with insufficient entropy (e.g. 4 digit passcode without invalidation and rate-limiting)

• Vulnerabilities found in rooted mobile devices

• UUID enumeration of any kind.

• SSL Pinning

• Invite/Promo code enumeration.

• Open redirects. 99% of open redirects have low-security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.

• Reports that state that software is out of date/vulnerable without a proof-of-concept.

• Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores.

• Stack traces, path disclosure, and directory listings.

• CSV injection.

• Best practices concerns.

• Highly speculative reports about theoretical damage -- please always provide a proof-of-concept.

• Vulnerabilities that cannot be used to exploit other users or Funding Societies -- e.g. self-xss (having a user paste JavaScript into the browser console).

• Most vulnerabilities are within our sandbox or staging environments.

• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.

• Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.

• Distributed denial of service attacks (DDOS) or any activity that will cause service disruptions.

• Content injection issues.

• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)

• Missing cookie flags on non-authentication cookies.

• Email Spoofing.

• Missing HTTP security headers.

• Lack of HTTPOnly and Secure cookie flags.

• Issues that require physical access to a victim’s computer/device.

• SSL/TLS scan reports (this means output from sites such as SSL Labs).

• Banner grabbing issues (figuring out what web server we use, etc.).

• Open ports without an accompanying proof-of-concept demonstrating vulnerability.

• Broken Link Hijacking.

• Entering the Funding Societies offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted (social engineering etc).