Bug Bounty Program
We are committed to protecting our community, and has established a security program for users to report security-related issues associated with our website to us.
If you believe you have found a vulnerability or issue and would like to participate in our Program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept.
Once you submit a Report to us, please allow our team a reasonable amount of time to respond to your Report and correct the issue. We truly appreciate your efforts to protect our community, and we may reward participants for helping us out. All Reports are subject to the terms and conditions of our Program, set forth below, and with the Terms of Services available on the Website.
Scope
We invite and welcome Reports on any security-related issue or vulnerability that you may find on our Website. However, please do not resort to phishing, spamming and other questionable methods that may harass our users or compromise their data, generate significant volumes of traffic, or cause disruption to our Website. You are allowed to use automated security scan tools, as long as they do not cause any issues.
Bounty
Minimum reward is $100 for security vulnerabilities. The reward depends on the vulnerability severity. Issues without security impact are not eligible for a bounty, yet still welcomed and will be treated like any other report.
Eligibility
- You must be the first reporter of the vulnerability.
- You do not access data of other users and solely use your created accounts.
- You may not publicly disclose the vulnerability prior to our resolution.
- You provide a working proof of concept that exploits the security issue
- THe Vulnerability report is encrypted with PGP (Details below; see: Contacting us)
Exclusion
Login/Logout CSRF
DDoS
Social engineering on customers or employees of HOT Group AG
Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)
Miss of rate limits
Report from automated tools and scans
Vulnerabilities sending spam or unauthorised messages
Bugs in 3rd party software
X-Frame-Options related
Relating to HSTS
DNSSEC
Missing security headers which do not lead directly to a vulnerability
Physical attack on the infrastructure
Theoretical attacks
Breaking of SSL/TLS trust
Compromising of browser/device (ex. computer sharing, physical access to a user’s device, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Password and account recovery policies, such as reset link expiration or password complexity
Vulnerabilities without solution on our side (HEIST, ...)
Outdated DNS record pointing to system which does not belong to us
Ownership and Incentive
Any Report that you submit to us will become our property, and we are under no obligation to act on a Report. However, if we do act on a Report, we may in our sole discretion extend monetary or non-monetary compensation to you as a gesture of our appreciation for helping out. You will be responsible for any taxes and any expenses, costs, or fees associated with your participation in the Program and any Reward.
Warranty Disclaimers
YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT: (1) YOUR PARTICIPATION IN THE PROGRAM AND USE OF ANY REWARD IS AT YOUR SOLE RISK. HOT GROUP AG EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. HOT GROUP AG SPECIFICALLY DISCLAIMS ANY LIABILITY WITH REGARD TO ANY ACTIONS RESULTING FROM YOUR PARTICIPATION IN THE PROGRAM OR USE OF ANY REWARD.
Final Note
We ask that you follow principles of responsible disclosure and give our dev. team team a reasonable amount of time to respond to and correct the submitted issue before you make it public. We ask you to remain open in communicating with us regarding any public disclosure so that we’re in agreement on the report and timelines.
Thank you very much, we truly appreciate your effort! Happy Hacking
If you believe you have found a vulnerability or issue and would like to participate in our Program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept.
Once you submit a Report to us, please allow our team a reasonable amount of time to respond to your Report and correct the issue. We truly appreciate your efforts to protect our community, and we may reward participants for helping us out. All Reports are subject to the terms and conditions of our Program, set forth below, and with the Terms of Services available on the Website.
Scope
We invite and welcome Reports on any security-related issue or vulnerability that you may find on our Website. However, please do not resort to phishing, spamming and other questionable methods that may harass our users or compromise their data, generate significant volumes of traffic, or cause disruption to our Website. You are allowed to use automated security scan tools, as long as they do not cause any issues.
Bounty
Minimum reward is $100 for security vulnerabilities. The reward depends on the vulnerability severity. Issues without security impact are not eligible for a bounty, yet still welcomed and will be treated like any other report.
Eligibility
- You must be the first reporter of the vulnerability.
- You do not access data of other users and solely use your created accounts.
- You may not publicly disclose the vulnerability prior to our resolution.
- You provide a working proof of concept that exploits the security issue
- THe Vulnerability report is encrypted with PGP (Details below; see: Contacting us)
Exclusion
Login/Logout CSRF
DDoS
Social engineering on customers or employees of HOT Group AG
Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)
Miss of rate limits
Report from automated tools and scans
Vulnerabilities sending spam or unauthorised messages
Bugs in 3rd party software
X-Frame-Options related
Relating to HSTS
DNSSEC
Missing security headers which do not lead directly to a vulnerability
Physical attack on the infrastructure
Theoretical attacks
Breaking of SSL/TLS trust
Compromising of browser/device (ex. computer sharing, physical access to a user’s device, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Password and account recovery policies, such as reset link expiration or password complexity
Vulnerabilities without solution on our side (HEIST, ...)
Outdated DNS record pointing to system which does not belong to us
Ownership and Incentive
Any Report that you submit to us will become our property, and we are under no obligation to act on a Report. However, if we do act on a Report, we may in our sole discretion extend monetary or non-monetary compensation to you as a gesture of our appreciation for helping out. You will be responsible for any taxes and any expenses, costs, or fees associated with your participation in the Program and any Reward.
Warranty Disclaimers
YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT: (1) YOUR PARTICIPATION IN THE PROGRAM AND USE OF ANY REWARD IS AT YOUR SOLE RISK. HOT GROUP AG EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. HOT GROUP AG SPECIFICALLY DISCLAIMS ANY LIABILITY WITH REGARD TO ANY ACTIONS RESULTING FROM YOUR PARTICIPATION IN THE PROGRAM OR USE OF ANY REWARD.
Final Note
We ask that you follow principles of responsible disclosure and give our dev. team team a reasonable amount of time to respond to and correct the submitted issue before you make it public. We ask you to remain open in communicating with us regarding any public disclosure so that we’re in agreement on the report and timelines.
Thank you very much, we truly appreciate your effort! Happy Hacking