Vulnerability Disclosure Programme

Guidelines

This disclosure program is limited to security vulnerabilities in all applications owned by Mosambee including Web, Payment API, MPoC, CPoC, SPoC & Dashboards. This program does not provide monetary rewards for bug submissions. The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible Mosambee application vulnerabilities including Web, Payment API, MPoC, CPoC, SPoC & Dashboards :

  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Injection Vulnerabilities
  • Remote Code Execution
  • Significant Security Misconfiguration
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories.

To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Program Exclusions

While we encourage any submission affecting the security of an Mosambee applications (as listed above), unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

  1. Content spoofing / text injection
  2. Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
  3. Logout and other instances of low-severity Cross-Site Request Forgery
  4. Cross-site tracing (XST)
  5. Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)
  6. Missing http security headers
  7. Missing cookie flags on non-sensitive cookies
  8. Password and account recovery policies, such as reset link expiration or password complexity
  9. Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  10. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  11. SSL/TLS best practices
  12. Clickjacking/UI redressing with no practical security impact
  13. Software version disclosure
  14. Username / email enumeration via Login Page or Forgot Password Page error messages
  15. Methods to extend product trial periods.
  16. Missing best practices in SSL/TLS configuration.
  17. Clickjacking on pages with no sensitive actions.
  18. Any activity that could lead to the disruption of our service (DoS).
  19. Previously known vulnerable libraries without a working Proof of Concept.
  20. Reflected and DOM XSS (We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).
  21. Reflected and DOM Based CSRF(We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).
  22. Conducting physical attacks against any Mosambee assets
  23. Extortion of any kind by asking for money or threatening disclosure of information.
  24. This programme is not applicable for our information websites home.mosambee.in.

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team. Providing clear and concise steps to reproduce the issue will help to expedite the response. All vulnerability must be reported at infra@mosambee.com

Encrypt the email contents using a TLS 1.2 strong ciphers mechanism. Please provide the best means of return communication.Allow up to 10 business days for confirmation of the reported issue

Evaluation

Once the vulnerability has been reported, Mosambee will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, mosambee will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure if required.

A few things to note about the Mosambee evaluation process:

Third-Party Products: Many vendors offer products to be integrated with Mosambee products. If the vulnerability is found to affect a third-party product, Mosambee will notify the author of the affected software. Mosambee will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.

Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to be a flaw in an Mosambee product, this will be shared with you.

Vulnerability Classification: Mosambee uses version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.Based on our evaluation process Mosambee will register the Vulnerability in Mosambee Vulnerability Database and assign unique ID tag as per classification process mention above.Mosambee is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive response to your initial contact within 10 working-days, confirming receipt of your reported vulnerability.

Confidentiality

Unless Mosambee provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Mosambee program, including discussions related to our program or any vulnerabilities (even if resolved).

Reward

We will only reward the first person to responsibly disclose a bug to us. Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be rewarded. Whether to reward the disclosure of a bug and the amount (non-monetary) of the reward is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws. We can’t provide you a reward if it would be illegal for us to do so. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Terms and Conditions

    1. Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
    2. Please do not test for spam, social engineering or denial of service issues.
    3. Your testing must not violate any law, or disrupt or compromise any data that is not your own.
    4. Please contact infra@mosambee.com to report security incidents such as customer data leakage or breach of infrastructure.
    5. Absolutely no public disclosure of any information related to Mosambee and its Vulnerability Disclosure Program