Bug Bounty
InterWorx continuously seeks to protect its hosting environment, and offer the best service to its customers. Because of this, we offer a bounty for reporting security vulnerabilities that substantially impact the integrity and confidentiality of user data in our hosting environment. To be eligible for the bounty, you must be the first to report, and use the process outlined below. InterWorx, in its sole discretion, shall determine whether or not to pay a reward, as well as the amount of the reward.
If you believe you have found a security vulnerability impacting an in-scope target (see scope list below), please notify us at [email protected]. When reporting, please respect our customers’ privacy and data. Please include detailed information as guided by the bulleted list below.
- The type of security vulnerability.
- The product, control panel, or infrastructure that contains the security vulnerability.
- The impact of the security vulnerability.
- Step-by-step instructions to reproduce the issue.
- Impact of the security vulnerability including how it can be exploited.
- Mitigation of the vulnerability if available.
Once submitted, we will contact you to confirm receipt of your report. As we investigate the security vulnerability, we may also ask you for additional information. For the scope listed on this page, the InterWorx security team has 30 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report.
During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty, and disqualify you from future submissions under this program.
Please do not report findings to the InterWorx helpdesk at support.interworx.com. All bug bounty reporting must go through [email protected], and the InterWorx support team is unable to assist with reports of this nature.
Scope
At this time, the scope of this program is limited to security vulnerabilities found on InterWorx website and product.
Note that 3rd party products, such as WordPress, Discourse, and Happyfox will not be eligible for bounty unless our implementation has resulted in data leakage or account takeover. Generally anything out of InterWorx control is out of scope, such as our Support hosted on Happyfox, but we will accept reports regarding our settings that resulted in leakage of sensitive information.
Currently the following environments are considered in-scope.
- https://interworx.com
- https://portal.interworx.com
- InterWorx Control Panel
- https://support.interworx.com
- https://forums.interworx.com
- http://docs.interworx.com
- https://appendix.interworx.com/
The following are strictly prohibited:
- Denial of Service attacks
- Physical attacks against offices and data centers
- Social engineering of our service desk, employees or contractors
- Compromise of a InterWorx users or employees account
- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic
- Any activity that would disrupt, damage, or adversely affect any third-party data or account is not allowed
- Please do not mass create accounts to perform testing against InterWorx applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality
The following vulnerabilities are out of scope and will not be considered for bounty:
- Cross site request forgery (CSRF)
- Cross domain leakage
- Information disclosure
- Software version disclosure
- XSS attacks via POST or headers
- Configuration and best practices such as SPF/DMARC, CORS, security headers, or insecure SSL/TLS ciphers.