Responsible Disclosure Policy
At hihaho, we consider the security of our systems a top priority. But no matter how much effort we put into system security, vulnerabilities could still slip through. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We ask you to help us better protect our clients and systems.
In our opinion, the practice of ‘responsible disclosure’ is the best way to safeguard the Internet. It allows individuals to notify companies like hihaho of security threats before going public with the information. It would give us a fighting chance to resolve the problem before the criminally-minded become aware of it. Responsible disclosure is the industry’s best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.
Not an invitation to actively scan our network
Our Responsible Disclosure Policy is not an invitation to actively scan our network or our systems for weaknesses. We are monitoring our company network. Therefore, we are likely picking up your scan, which our security team will investigate, possibly leading to unnecessary costs.
During your investigation, you possibly take actions prohibited by law. We advise you not to do so, but if you have met the conditions stated in this document, we will not take legal action against you as hihaho. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.
Rules of engagement
We are interested in learning about security issues found on our web service. Our customers are considered exempt from this scope unless explicitly stated they are not.
There are some things we explicitly ask you not to do:
- When experimenting, please only attack test accounts you control. We might disqualify proofs of concept which unnecessarily involves accounts of other end users or hihaho employees.
- Do not test the physical security of hihaho offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, vishing, etc.).
- Do not perform DoS or DDoS attacks.
- Do not, in any way, attack our end users or engage in the trade of stolen user credentials.
- Do not abuse the found vulnerability by:
- Downloading more data than necessary.
- Changing or removing data.
- Sharing the vulnerability until resolved.
Our request to you:
- Report your finding as quickly as possible by sending an e-mail to: email@example.com.
- Please provide sufficient information to reproduce the problem you found to enable us to resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- We ask you to give us a minimum of 30 days to resolve the issue before going public with the vulnerability.
What we promise:
- We will respond to your report within three business days with our evaluation and an expected resolution date.
- If you have followed the instructions/stipulations above, we will not take any legal action against you regarding the report.
- We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress toward resolving the problem.
- In published information concerning the problem reported, we will mention your name as the discoverer of the problem (unless you desire otherwise).
The following finding types are specifically excluded :
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Security header issues without proof of concept.
- Reports about the website like https://hihaho.com .
- Issues involving third party software like Intercom.
- Issues involving e-mail verification.
- Issues involving DMARC
- Issues involving field validation.
- Generic bugs
- Already known issues