Conductor BugBounty Program
Welcome to Conductor`s Bug Bounty Program! We appreciate your efforts in contributing to the security of our websites currently located at www.conductor.com and www.contentkingapp.com (the “Websites”) and the platforms available at app.conductor.com and app.contentkingapp.com (collectively, the “Conductor Platform”). This program is designed to encourage responsible disclosure and offers recognitions and rewards for eligible vulnerabilities discovered in accordance with this policy.This policy covers vulnerabilities found in the Conductor`s Platform, including the following scope:
*.conductor.com
*.contentkingapp.com
If you believe you have found a vulnerability in the Conductor`s platform please submit a vulnerability report to us by emailing [email protected]
Rules of Engagement
In participation of Conductor`s Vulnerability Reward Program, you must meet the following rules:
- Testing that disrupts the service to other users is forbidden.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- It’s not allowed to provide any information about the discovered security vulnerability to third parties.
- It’s not allowed to collect any data, accessed through such security vulnerabilities.
- It’s not allowed to abuse or exploit any vulnerability beyond the extent necessary to create a proof of such vulnerability.
- You must not compromise the privacy of our users or violate our Privacy Policy or Data Protection Addendum.
- You must otherwise comply with this policy and all applicable laws.
Submission Process
To submit a vulnerability report, provide as much evidence as possible, including comprehensive details of the vulnerability along with a Proof of Concept (PoC) or screenshot for replication and validation.
The vulnerability must demonstrate security impact within the scope of this program (as described below).
By submitting a report, you indicate that you have read, understand, and agree to the terms of this policy.
Please allow us at least 5 (five) business days to confirm the receipt of your vulnerability. An eligible report will undergo a thorough review within a commercially reasonable time.
We reserve the right not to provide a substantive response to reports that are deemed outside the scope of this policy or found non-applicable.
The decision regarding the eligibility of your report for this program and any associated reward is at the sole discretion of Conductor.
While we aim to maintain transparency with our contributors, please understand that the specific details regarding the assessment and resolution of reports may not always be disclosed. This includes reasons for a report’s acceptance or rejection. We ensure that every report is reviewed carefully and treated with the highest regard. Should you require general feedback or have questions about your submission, we encourage you to contact us.
As part of your compliance with this policy, and upon request, you agree to sign a non-disclosure agreement acceptable to Conductor in its sole discretion. This may be a condition for receiving a reward under this program.
The following finding types are specifically out of scope:
- Lack of MFA.
- Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site.
- Internal IP address disclosure.
- Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc).
- Social engineering / phishing attacks.
- Self XSS.
- Text injection.
- Email spoofing (including SPF, DKIM, DMARC, From: spoofing, and visually similar, and related issues).
- Descriptive error messages (e.g. stack traces, application or server errors, path disclosure).
- Fingerprinting/banner disclosure on common/public services.
- Clickjacking and issues only exploitable through clickjacking.
- CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms).
- Lack of Secure and HTTPOnly cookie flags (critical cookie may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
- Lack of rate limiting or other missing DOS protections.
- HTTPS mixed content scripts.
- Missing HTTP security headers.
- TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
- Standard WPA cracking attacks, such as those that result from users choosing weak passwords.
- Denial of Service attacks.
- Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope).
- UI and UX (non-security) bugs.
- Reports asserting that software is outdated or vulnerable without a proof of concept.
- Mis-adherence to best practices that does not lead to an exploit.
Evaluation and Reward
- Every reported vulnerability will be evaluated and rewarded individually on a case-by-case basis, based on the severity of the bug.
- Only new, previously unreported vulnerabilities will be eligible for rewards.
- Rewards will be exclusively awarded to the first reporter of each vulnerability.
- You will receive compensation for your reporting efforts (details outlined above). However, operational compensations, such as salary or utilities, are not provided.
Feedback
If you have any questions or comments about the vulnerability reward program, please contact us at [email protected].