We take the security of our systems seriously, and we value the security of our users, contributors, clients, and customers. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
If you visit our website and noticed any security issues, we require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you've discovered confidential between yourself and INMAGINE until we've had  days to resolve the issue.
Any information you found or collect about INMAGINE or any INMAGINE user through the security bugs must be kept confidential and only used in connection to us. Accessing private information of other users, performing actions that may negatively affect INMAGINE users are strictly forbidden. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the INMAGINE sites, without INMAGINE prior written consent.
In the interest of the safety of our users, staff, we'd like to ask you to refrain from:
- Social engineering (including phishing) of INMAGINE staff or contractors or clients.
- Any physical attempts against INMAGINE property or data centers.
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Causing, or attempting to cause, a Denial of Service (DoS/DDoS) condition.
If you follow these guidelines and immediately report to us, we commit to:
- We will not initiate legal action against security researchers attempting to find vulnerabilities within our systems who adhere to this policy.
How to report a security vulnerability?We believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security vulnerability in one of our products or platforms please immediately send it to us by emailing firstname.lastname@example.org. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Your name/handle
We accept reports based on severity not less than 6 per CVSS 3.1. The final severity may be adjusted to reflect the impact of the reported vulnerability on our domains.More on CVSS 3.1 scoring: https://www.first.org/cvss/calculator/3.1
Out of Scope
When reporting vulnerabilities, you shall consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope from this Program, and we will not accept any of the following types of attacks:
- Denial-of-service attacks
- Spam, social engineering or email phishing techniques (e.g. phishing, vishing, smishing)
- Email spoofing
- Any security vulnerability on the client side (e.g. browsers, plugins)
- Software version disclosure
- Reflected file download
- Any physical access issues
- Publicly accessible pages
- Any weakness or disclosure of information which does not lead to a direct vulnerability
- Email or account enumeration
- CSV command execution and CSP weaknesses
- Any vulnerabilities in third-party apps or websites are generally not within the scope of our Program.
Changes to Terms
Inmagine reserves the right to modify or cancel this Bug Bounty Program and its policies at any time, without prior notice.
Accordingly, Inmagine may amend these Terms and/or its policies at any time by posting a revised version on Inmagine's website. You accept the modified Terms if you continue to participate in the Bug Bounty Program after changes are made to the Terms.