Report bugs & vulnerability
Efani’s security pledge
At DontPort LLC (hereinafter referred to as “efani”), we take security seriously and we are committed to protect our customers. Efani believes that working with skilled security researchers across the globe is crucial in identifying weaknesses. If you believe you have found a security issue in our product or service, we encourage you to notify us.
By joining the program, you agree that you have read, understood the provisions set forth in scope, and agree to observe them. In this program you can only test our servers & procedures Do not test our customers security without their explicit permission. Attacking our customers will end in permanent ban from the program & report to the regulators. We are happy to ship you our SIM card to test it locally. If your cooperation with us will be on good level we will think about invite you to our private program. Here you can find information, on how our security level works : https://efani.com/how-secure-is-efani/
Eligibility & disclosure policy
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Eligibility & disclosure policy
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- You must be the first reporter of a vulnerability associated with a participating service (we will also not reward for a known vulnerability which we are actively fixing)
- You must have personally discovered the vulnerability and you may not report a vulnerability that was discovered by another person (including, in particular, someone who does not qualify to participate in the Bug Bounty Program)
- You must not be employed by efani or its subsidiaries or related entities, currently or in the last 12 months
- You must comply with these rules when discovering the vulnerability and submitting the vulnerability report
- All user data gathered in attack phase has to be anonymised in report and deleted from your laptop etc.
- efani is not legally obliged to pay the bounty
What is forbidden:
- Huge scans using automated tools are strictly prohibited. If your tests have a negative impact on an element of our platform, we can take action to block your IP address without further notice. If you still do a prohibited actions on our platform, we will ban you from this program. In extreme cases we will make a legal action on you.
- Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit authorization from efani
- Disclosing the contents of any submission to our program without explicit authorization from efani
- Accessing private information of any person stored on a product of efani or service – you must use test accounts
- Accessing sensitive information (e.g. credentials)
- Performing actions that may negatively affect efani or its customers (e.g. Spam, Brute force, Denial of Service)if you see that your test impact on efani you must stop them and inform us about that
- Conducting any kind of physical attack on efani’s personnel, property or data centers
- Social engineering (e.g. phishing, vishing, smishing) any efani’s help desk, employee or contractor or user
- Conduct vulnerability testing of participating services using anything other than test Accounts
- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if the vulnerability would enable data exfiltration, and will reward respectively)
- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities
Out of scope vulnerabilities
- Bugs in content/services that are not owned/operated by efani
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Cross Site Scripting bugs requiring an unlikely amount of user interaction
- CSRF on forms available to anonymous users
- Missing CAPTCHA
- Password complexity or account recovery policies
- Username / email enumeration
- HTTPS Mixed Content
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages, cookie flags, lack of CSP
- SSL Forward Secrecy
- Invalid or missing SPF (Sender Policy Framework) records
- Weak SSL/TLS Cipher Suites
- Sending vulnerability reports using automated tools without validation
- Use of a known-vulnerable library without evidence of exploitability
- Attacks requiring physical access to a user’s unlocked device
- Reports of spam, phishing or security best practices
Out of scope vulnerabilities
- Please keep any and all information obtained as a result of participation in the program in strict confidence and not disclose it; moreover, you shall take necessary precautions while storing this information notwithstanding the form in which it was provided (“Confidential Information”);
- You shall use the Confidential Information obtained as a result of participation in the program only within the scope required for such participation and shall take appropriate measures in order to keep this Confidential Information secret and prevent it from being disclosed to third parties;
- You shall be held liable for any direct and indirect damage that efani will incur as a result of disclosure of Confidential Information, including without limitation for any actual damage, lost profits, and any other costs incurred to enforce claims that the efani may have for the violation hereof;
The fine print
It’s important to mention, that we use OWASP Risk Methodology: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology which may be different than the one you’ve. In calculating severity of report we mainly take into account the likelihood of exploiting issue, not just technical impact. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. If you have any other questions about our security, please contact us at firstname.lastname@example.org Thank you for helping keep efani and our users safe!