Raffall Bug Bounty Program for Responsible Disclosure
Raffall decided to encourage security researchers with a bug bounty program to identify and submit vulnerability reports regarding our platform.
Participation in our bug bounty program is voluntary and subject to the legal terms and conditions detailed on our Terms and Conditions page. By submitting a vulnerability report to Raffall, you acknowledge that you have read and agreed to our program terms.
Guidelines
We will respond as quickly as possible to your submission and we will keep you updated as we work to fix the bug you submitted, but please allow us a reasonable amount of time to work through your submissions diligently. Furthermore, we will not take legal action against you if you respect the terms of our program and act in good faith.
We ask you to respect the following rules of our bug bounty program:
-
Don’t make the bug public before it has been fixed.
-
Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
-
Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
-
Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your Range account and ban your IP address if you do so.
-
Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Range account and ban your IP address.
-
No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Incentives
Raffall utilizes the Common Vulnerability Scoring System (CVSS) - an industry-standard calculator used to determine the severity of a bug. The CVSS enables there to be a common language around the severity of bugs and we will use the CVSS score that our team determined to classify bugs in one of the following severities:
Severity |
Reward |
Minor |
50 GBP |
Medium |
250 GBP |
High |
500 GBP |
Critical |
750 GBP |
Please be advised that only the first person to disclose the security issue will be eligible for a reward, and only after we have acknowledged and confirmed that the issue has been fixed will one of our support specialists contact you via email to process the payment.
We require that you remain patient until you have been notified that the issue has been resolved.
Payments
Please note that we currently only support wire transfers through our bank and in order to facilitate payouts under this responsible disclosure policy, you must supply all necessary documents as requested by our bank and legal department in order to comply with all applicable "Know Your Customer" and "Anti Money Laundering" laws and regulations in the United Kingdom.
Scope
*.raffall.com (please read our out of scope rules)
Out of scope
-
Descriptive error messages (e.g. Stack Traces, application or server errors).
-
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
-
Banner disclosure on common/public services.
-
Disclosure of known public files or directories, (e.g. robots.txt).
-
Clickjacking and issues only exploitable through clickjacking.
-
CSRF on forms that are available to anonymous users (e.g. the contact form).
-
Logout Cross-Site Request Forgery (logout CSRF).
-
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
-
Lack of Secure and HTTPOnly cookie flags.
-
Lack of Security Speedbump when leaving the site.
-
Weak Captcha / Captcha Bypass
-
Username enumeration via Login Page error message
-
Username enumeration via Forgot Password error message
-
Login or Forgot Password page brute force and account lockout not enforced.
-
OPTIONS / TRACE HTTP method enabled
-
SSL Attacks such as BEAST, BREACH, Renegotiation attack
-
SSL Forward secrecy not enabled
-
SSL Insecure cipher suites
-
The Anti-MIME-Sniffing header X-Content-Type-Options
-
Missing HTTP security headers, specifically (https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)
- Third-party websites. Some services hosted in less common domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward such reports. Please read the fine print on the page and examine domain and IP WHOIS records to confirm. If in doubt, talk to us first!
How to Submit
Please reach out with your findings to our customer support team who will put you in contact with the responsible persons.
Final Notes
Only principals, not vulnerability brokers are eligible to participate in our program.
Raffall will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or cancelled at any time. Any changes we make to our program's terms do not apply retroactively.
Thanks for helping us make Raffall more secure.
As of February 22, 2022 we have adjusted our incentive structure after careful consideration, reviewing similar bug bounty programs and feedback from our community of security researchers. For all submissions prior to this date our old incentive structure still applies.