Objective
At Smoobu, we take data integrity and security very seriously. Due to the nature of the product and service we provide, we are committed to working with individuals to stay updated on the latest security techniques and fix any security weakness in our application or infrastructure reported to us responsibly by external parties.
Eligibility Criteria
To be eligible for a reward,
Be the first to report the issue to us.
House rules can also help your guests if they are unsure about some things – such as how to operate appliances.
Subject to the Sections below, the submitted vulnerability must have a demonstrable impact in Smoobu’s context. We use CVSS v3 as the vulnerability scoring framework.
Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
The person submitting the request must not be an employee, former employee or an immediate relative of an employee or former employee of Smoobu.
You must comply with the Program terms and conditions.
Scope
The following are in scope for the purposes of this policy and subject to the terms of this policy, are eligible for a reward:
https://login.smoobu.com
https://booking.smoobu.com
https://yoursite.bookingturbo.com
Out of Scope
Anything not defined in the “Scope” section above.
Reports from automated tools or scans
Non – Acceptable Category
There are some submissions that we can’t accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs the low-level risk, or low-risk issues that are unlikely to result in a code change. Following vulnerability, classes are ineligible for rewards
Denial of Service
DMARC/ SPF
Self-XSS
Malicious File Upload
Social engineering
Email Spamming / Spoofing
Content Spoofing
Clickjacking and issues are only exploitable through clickjacking that has minimal impact.
CSRF on forms that are available to anonymous users(e.g. the contact form)
CSRF with negligible security impact (e.g. adding to favourites)
Software version number disclosure
Username or Site Name enumeration
Unvalidated Open Redirects or Tab Nabbing
HTML injection
Username or email address enumeration
Phishing attack using RTLO, Unicode/Punycode
Any security weakness or missing best practice without a demonstrable security impact
Descriptive error messages.
Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)
Clickjacking and issues are only exploitable through clickjacking that has minimal impact.
Lack of Secure and HTTPOnly cookie flags.
Weak or missing captcha/captcha bypass.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cypher suites.
Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to direct exploitation.
XSS was only possible by an administrator e.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.
Self-XSS that has no security impact e.g. injecting HTML into your own RTE editor
Reports of third-party libraries without an actual proof-of-concept. e.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.
Terms and Conditions
By submitting a security vulnerability to Smoobu, you acknowledge that you have read and agreed to the Terms and Conditions provided below. You agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Smoobu’s prior written approval.
1.1 You shall:
- Comply with all applicable laws, regulations and rules, including export compliance laws and ensure you have all necessary rights relating to your participation and actions at all times;
- Ensure you have all permissions, consents and rights necessary to allow Smoobu to use your findings for Smoobu’s business purposes without any restrictions or liability and grant to Smoobu a perpetual, irrevocable, transferable, worldwide and royalty-free license to use, copy, modify, adapt, disclose, transfer develop or otherwise exploit (including commercially) any of your findings;
- Waive all claims against Smoobu or any third party with respect to your findings;
- Not exploit any vulnerabilities, including by disclosing vulnerabilities to any third parties or publicly, without the prior written consent of Smoobu;
- Not leverage any vulnerabilities against Smoobu or any third party in any manner, including to make any threats or ransom requests;
- Not access or use any Smoobu customer account or information;
- Use only a Smoobu account specifically created for this purpose if a Smoobu account is required to detect or test any vulnerability, which account shall be subject to these terms and conditions and the use restrictions in Smoobu’s online terms of service;
- Take all steps to ensure that the testing interfere with or interrupt a Smoobu customer’s access to and use of Smoobu product or otherwise adversely affecting Smoobu product or its business, and immediately notify Smoobu in case you suspect any of the foregoing;
- Not modify, copy, download, delete, compromise, adapt, tamper or otherwise process or misuse any data of Smoobu customer or any other non-public information, or engage in any act/omission that causes harm, liability or disrepute to Smoobu, its customers or partners, including incurring the loss of funds for Smoobu customer;
- Limit your actions to those strictly necessary to detect and test vulnerabilities in Smoobu products;
1.2 Smoobu reserves the right to determine what constitutes a valid vulnerability submission that is entitled to a bounty. A valid vulnerability submission shall be rewarded with such amount as Smoobu deems appropriate. You shall be responsible for any taxes applicable to the bounty payment, including for payment of the same to the appropriate tax authorities unless otherwise required under applicable law.
1.3 Smoobu reserves the right to modify this policy and the terms and conditions herein at any time without notice, including discontinuation of the policy at any time. Any dispute relating to this policy shall be resolved amicably between the Parties. Smoobu’s decision shall be final with respect to any interpretation of the policy.
