Bug Bounty
Interworx continuously seeks to protect its hosting environment and offer the best service to its customers. We offer a bounty for reporting security vulnerabilities that substantially impact the integrity and confidentiality of user data in our hosting environment. To be eligible for the bounty, you must be the first to report and use the process outlined below. Interworx, in its sole discretion, shall determine whether or not to pay a reward and the amount of the reward.
If you believe you have found a security vulnerability impacting an in-scope target (see scope list below), please notify us at [email protected]. When reporting, please respect our customers’ privacy and data. Please include detailed information as guided by the bulleted list below.
- The type of security vulnerability.
- The product, control panel, or infrastructure that contains the security vulnerability.
- The impact of the security vulnerability.
- Step-by-step instructions to reproduce the issue.
- Impact of the security vulnerability including how it can be exploited.
- Mitigation of the vulnerability if available.
Once submitted, we will contact you to confirm receipt of your report. As we investigate the security vulnerability, we may also ask you for additional information. For the scope listed on this page, the Interworx security team has 30 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report.
During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty and disqualify you from future submissions under this program.
Scope
At this time, the scope of this program is limited to security vulnerabilities found on Interworx website and product.
3rd party products such as WordPress, Discourse and Happyfox will only be considered in scope if the vulnerability reported is not present in the latest stable version of the 3rd party product.
Currently the following environments are considered in-scope.
- https://interworx.com
- https://portal.interworx.com
- Interworx Control Panel
- https://support.interworx.com
- https://forums.interworx.com
- http://docs.interworx.com
- https://appendix.interworx.com/
The following are strictly prohibited:
- Denial of Service attacks.
- Physical attacks against offices and data centers.
- Social engineering of our service desk, employees or contractors.
- Compromise of a Interworx users or employees account.
- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
- Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.
- Please do not mass create accounts to perform testing against Interworx applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
The following vulnerabilities are out of scope and will not be considered for bounty:
- Cross site request forgery (CSRF)
- Cross domain leakage
- Information disclosure
- Software version disclosure
- XSS attacks via POST or headers
- Configuration and best practices such as SPF/DMARC, CORS, security headers, or insecure SSL/TLS ciphers.