Responsible Disclosure Policy - Xistyl


Last Updated On: 07, 06 2023 06:30 pm


At Xistyl Private Limited (including its affiliates) (hereinafter referred to as ‘Xistyl’), we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us.

In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our systems.

We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.

Rules of Engagement

  1. Researchers submitting a vulnerability to Xistyl agree to be bound by the terms of the Responsible Disclosure Policy (hereinafter referred to as the ‘Terms’).

  2. What is in scope and out of scope when discovering vulnerabilities is clearly mentioned and specified in the sections below.

  3. Researchers shall ensure that they do not engage in privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

  4. Researchers should only use/exploit to the extent necessary to confirm a vulnerability. Researchers should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.

  5. Once a researcher establishes that a vulnerability exists, or encounters any sensitive data, the researcher shall stop any further testing and notify Xistyl immediately. Researchers are required to keep any information about discovered vulnerabilities confidential even after submitting the vulnerability report.

  6. Xistyl discourages violation of applicable laws and breach of any agreements in order to discover vulnerabilities and reserves the right to pursue legal action when the terms of this policy are violated or when testing is performed outside the scope of this policy. The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.

  7. Xistyl may share your vulnerability reports with any affected partners, vendors or open source projects.

Authorization

  1. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Xistyl will not initiate or recommend legal action related to your research.

  2. If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.

  3. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.

Policy Coverage Area

  1. Following Mobile Apps and Websites under (or a sub-domain of) the domains are covered as part of this policy –

  2. Xistyl.com

  3. Xistyl Andriod App

  4. Xistyl iOS App

  5. If you encounter any vulnerability on our systems while testing within the scope of this policy, stop your test and notify us immediately.

Out of Scope Vulnerabilities

  1. General software related bugs (like SSL, older versions etc.)

  2. Vulnerabilities related to SPF/DMARC/DKIM records, which do not result in demonstrated compromise

  3. Missing security headers etc. or other security best practices, which do not result in demonstrated compromise

  4. Vulnerabilities related to outdated app versions or browsers – exploits/vulnerabilities related to current versions and only in the latest browser versions are accepted

  5. Exploits that need MITM or physical access to the victim’s device

  6. Clickjacking related submissions

  7. Unauthenticated/logout/login CSRF

  8. Previously known vulnerable libraries without a working Proof of Concept

  9. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  10. Open redirect

  11. Missing CAA headers

  12. Stack traces, directory listings or path disclosure

  13. Self XSS

  14. Social engineering attacks, both against users or employees

  15. Issues on non-company assets like GitHub, Cloud Providers or others, which Xistyl may be using

  16. Forgot Password page brute-force and account lockout not enforced

  17. Lack of Captcha

  18. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

  19. Session Timeouts

  20. Host Header Injection

  21. Exposed API keys without clear demonstration of security impact

  22. Specifically, exposed Google Map APIs keys and keys in Android XML files are out of scope for now

General Rules - Do’s & Don’t

  1. Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

  2. Automated tools or scripts are strictly prohibited.

  3. Any POC submitted should have a proper step-by-step guide to reproduce the issue. As stated above, abuse of any vulnerability found shall be liable for legal penalties.

  4. Make every effort to avoid - privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

  5. Do not attempt to gain access to any other person’s account, data or personal information.

  6. Do use their real email address to report any vulnerability information to us.

  7. Keep information about any vulnerabilities you have discovered confidential between yourself and Xistyl. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose obtained from Xistyl.

  8. Do not use scanners or automated tools to find vulnerabilities.

  9. As a security researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Xistyl, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Xistyl deems appropriate for any purpose. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Xistyl.

  10. Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

How to report

  1. Individual Details:

  2. Full Name

  3. Mobile Number

  4. Any Public profile (Twitter, LinkedIn, Github etc.)

Bug Details:

  1. Name of the Vulnerability

  2. Affected Application

  3. Vulnerable Endpoint & Parameter

  4. Impact

  5. Detailed steps to reproduce

  6. Remediation

Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open-source projects.

Recognition

  1. By helping us continuously keep our data secure, once the security vulnerability is verified and fixed as a result of the report, we would like to put your name on our “Security Hall of Fame” page present at 

  2. https://www.xistyl.com/hall-of-fame

    .

  3. We may at our sole discretion send out Xistyl Swag in some cases.

Eligibility for Recognition

  • Must be the first person to responsibly disclose the vulnerability.

  • Vulnerability discovered must be found when testing within the scope of this policy.

  • Reported vulnerability significantly impacts security and integrity of Xistyl services or impacts the privacy of customer or partner data.

Xistyl may at its sole discretion rate vulnerabilities as critical, high, medium and low. Only vulnerabilities rated critical and high are eligible for the Security Hall of Fame (https://www.xistyl.com/hall-of-fame).