Responsible Disclosure Program
The PrepLadder responsible disclosure program is designed to encourage security researchers to find security vulnerabilities in PrepLadder software and to recognize those who help us create a safe and secure product for our customers and partners.
If you believe you have found a security vulnerability in PrepLadder software, we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take necessary corrective measures. We request you to review our responsible disclosure policy as mentioned below along with the reporting guidelines, before you report a security issue.
The information on this page is intended for security researchers interested in reporting security vulnerabilities to PrepLadder security team. If you are a PrepLadder customer and have concerns regarding non-information security related issues or seeking information about your PrepLadder account / complaints, please reach out to customer support or write to [email protected].
How to report an issue?
If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:
- If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:
- Please contact us immediately by sending an email to [email protected] with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
- If possible, share with us your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
- If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
- While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
- We do not offer a bug bounty at this time, but swags can be awarded based on the severity, impact, complexity of the vulnerability reported and it is at the discretion of PrepLadder security team.
Responsible disclosure & reporting guidelines
- You should not do any public disclosure of a bug without prior approval from the PrepLadder security team.
- Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
- Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
- Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
- You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
- You are not supposed to access any data/internal resources of PrepLadder as well the data of our customers without prior approval from the PrepLadder security team.
- You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
- Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from PrepLadder responsible disclosure program.
- We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Responsibility at our end
- We investigate and respond to all valid reports. Due to the volume of reports that we receive, however, we prioritise evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine the reward based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report. Note that extremely low-risk issues may not qualify for the reward at all.
- In the event of duplicate reports, we give recognition to the first person to submit an issue. (PrepLadder determines duplicates and may not share details on the other reports.)
- Note that your use of PrepLadder services including for the purposes of this programme, is subject to PrepLadder’s Terms and Policies. We may retain any communications about security issues that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.
Targets in scope
Out of Scope Targets
- All the sandbox and staging environments are out scope.
- All external services/software which are not managed or controlled by PrepLadder are considered as out of scope / ineligible for the reward.
- Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any recognition.
Prerequisites to qualify for Reward:
- Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward.
- Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
- Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.
Common examples include:
- Cross-Site Scripting (XSS)
- Sql Injection
- XML external entity (XXE) injection
- Server Side Template Injection (SSTI)
- Server Side Request Forgery (SSRF)
- Cross-Site Request Forgery (on sensitive actions)
- Broken Authentication / Authorization
- Broken Session flaws
- Remote Code Execution (RCE)
- Privilege Escalation
- Business Logical flaws
- Payment Related Issues
- Misuse/Unauthorized use of our APIs
- Open Redirects (which allow stealing secrets/tokens)
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:
- Issues found through automated testing
- Clickjacking in any form
- Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
- Spamming (e.g. SMS/Email Bombing)
- Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
- Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
- Login - Logout cross-site request forgery
- Self XSS
- Presence of server/software banner or version information
- Stack traces and Error messages which do not reveal any sensitive data
- Third party API key disclosures without any impact or which are supposed to be open/public.
- OPTIONS / TRACE HTTP methods enabled
- Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
- Missing Cookie Flags (e.g. HttpOnly, secure etc)
- Host Header Injection
- Broken Links (e.g. 404 Not Found page)
- Known public files or directories disclosure (e.g. robots.txt, css/images etc)
- Browser ‘autocomplete’ enabled
- HTML / Text Injection
- Forced Browsing to non-sensitive information (e.g. help pages)
- Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
- DNS issues (e.g. Missing CName, SPF records etc.)
- End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
- Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
- Coupon Misuse
- Brute force on forms (e.g. Contact us page)
- Brute force on “Login with password” page
- Account lockout not enforced
- Spam or Social Engineering techniques, including:
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Rate limit mechanism bypass
- Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
- Screen pinning bypass
- Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
- Bypassing root/jailbroken detection
- SSL Pinning bypass
- Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on PrepLadder’s infrastructure by providing a proper proof of concept
- Bug which PrepLadder is already aware of or those already classified as ineligible
Changes to Program Terms
The responsible disclosure program, including its policies, is subject to change or cancellation by PrepLadder at any time, without notice. As such, PrepLadder may amend these program terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the responsible disclosure program after PrepLadder posts any such changes, you implicitly agree to comply with the updated program terms.