Skip to main content
Sign in

Bug Bounty Program

  • Updated

Raffall Bug Bounty Program for Responsible Disclosure 

Raffall decided to encourage security researchers with a bug bounty program to identify and submit vulnerability reports regarding our platform.

 

Participation in our bug bounty program is voluntary and subject to the legal terms and conditions detailed on our Terms and Conditions page. By submitting a vulnerability report to Raffall, you acknowledge that you have read and agreed to our program terms.

 

Guidelines

We will respond as quickly as possible to your submission and we will keep you updated as we work to fix the bug you submitted, but please allow us a reasonable amount of time to work through your submissions diligently. Furthermore, we will not take legal action against you if you respect the terms of our program and act in good faith.

 

We ask you to respect the following rules of our bug bounty program:

  1. Don’t make the bug public before it has been fixed.

  2. Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.

  3. Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  4. Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your Range account and ban your IP address if you do so.

  5. Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Range account and ban your IP address.

  6. No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

 

Incentives

Raffall utilizes the Common Vulnerability Scoring System (CVSS) - an industry standard calculator used to determine the severity of a bug. The CVSS enables there to be a common language around the severity of bugs and we will use the CVSS score that our team determined to classify bugs in one of the following severities:

 

Severity

Reward

Minor

100 GBP

Medium

500 GBP

High

1000 GBP

Critical

1500 GBP

 

Please note that currently, we support only wire transfers through our bank. In order to facilitate payouts under this responsible disclosure policy you have to supply all necessary documents as requested by our legal department and our bank to comply with all applicable "Know Your Customer" and "Anti Money Laundering" laws and regulations in the United Kingdom.

 

Scope

*.raffall.com (please read our out of scope rules)

 

Out of scope

  • Descriptive error messages (e.g. Stack Traces, application or server errors).

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.

  • Banner disclosure on common/public services.

  • Disclosure of known public files or directories, (e.g. robots.txt).

  • Clickjacking and issues only exploitable through clickjacking.

  • CSRF on forms that are available to anonymous users (e.g. the contact form).

  • Logout Cross-Site Request Forgery (logout CSRF).

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

  • Lack of Secure and HTTPOnly cookie flags.

  • Lack of Security Speedbump when leaving the site.

  • Weak Captcha / Captcha Bypass

  • Username enumeration via Login Page error message

  • Username enumeration via Forgot Password error message

  • Login or Forgot Password page brute force and account lockout not enforced.

  • OPTIONS / TRACE HTTP method enabled

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack

  • SSL Forward secrecy not enabled

  • SSL Insecure cipher suites

  • The Anti-MIME-Sniffing header X-Content-Type-Options

  • Missing HTTP security headers, specifically (https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)

 

How to Submit

Please reach out with your findings to our customer support team who will put you in contact with the responsible persons.

 

Final Notes

Only principals, not vulnerability brokers are eligible to participate in our program.

Raffall will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to our program's terms do not apply retroactively.

 

Thanks for helping us make Raffall more secure.



Related articles