Guidelines

Eventcube requests that all researchers follow the below guidelines.

Privacy first

• Approach security assessments with discretion.
• Prioritize safeguarding user data and experience.

Non disruptive

• Tread carefully around production environments.
• Data integrity is paramount, handle with care.

‍
Due diligence

• Security testing demands good faith efforts.
• Violating trust undermines the entire endeavor.
  
• Perform research only within the scope set out below
• Provide a detailed report through our direct security channel, that includes: Steps to replicate the issue (screenshots, videos, etc), location of issue, the names of accounts you have created / used, your contact details
• Wait for our consent to discuss a vulnerability
• Respectfully reach out to Eventcube
• Reduce overly broad use of automated scanning tools

‍

Policies

Eventcube genuinely values the assistance of security researchers and others in the security community to help keep our systems secure. However, we insist that researchers follow the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us.

• Eventcube will define the severity of the issue based on the impact and the ease of exploitation.
• We will initiate necessary actions to fix the vulnerability in line with our commitment to security and privacy and notify you once we fix it.
• When conducting security testing, please ensure that you do not violate any of our privacy policies, modify or delete unauthenticated user data, disrupt production servers, or degrade user experience in any way.
• You must not exploit a security vulnerability that you discover for any reason.
• Conduct research only within the scope set out in our guidelines.
• Use the identified communication channel, i.e., security@eventcube.io, to report any vulnerability to us.
• Documenting or publishing the vulnerability details in any public domain goes against our responsible disclosure policy.
• Eventcube commits to publicly acknowledge and recognize your responsible disclosure on our Hall of Fame page.
• Eventcube determines recognition in the Hall of Fame based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the Hall of Fame at all.
• In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Eventcube determines duplicates and may not share details on the other reports).

‍

In Scope Targets

www.eventcube.io
manage.eventcube.io

Any other Eventcube sites that include a security.txt file (i.e. https://<site>/security.txt)

‍

In-Scope Vulnerabilities:

• SQL/XXE Injection and command injection
• Server-side request forgery (SSRF)
• Remote code execution (RCE)
• Misconfiguration issues on servers and application
• Cross-site request forgeries (CSRF)
• Cross-Site Scripting (XSS)
• Authentication and authorization-related issues

‍

Out-of-Scope Vulnerabilities:

• Social engineering (including phishing) with any Eventcube staff or contractors
• Denial of Service, Distributed-DoS
• X-Frame-Options related, missing cookie flags on non-sensitive cookies;
• Missing security headers that do not lead directly to a vulnerability.
• Version exposure (unless you deliver a PoC of working exploit)
• Directory listing with already publicly readable content
• Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt, etc
• Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
• Log-in or forgotten password page brute forcing and account lockout not being enforced
• Application denial of service by locking user accounts
• Reports from automated scripts or scanners
• Clickjacking and issues only exploitable through clickjacking
• SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
• HTTP TRACE or OPTIONS methods enabled
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Reflected XSS (unless you deliver a PoC showing impact)
• Formula Injection or CSV Injection
• EXIF data not stripped on images
• Rate limiting
• Missing HTTP security headers and cookie flags on insensitive cookies
• Email - issues related to SPF/DKIM/DMARC
• User email enumeration

‍

‍

Submissions we do not want to receive

In the unlikely scenario you discover any sensitive information we request that you either describe or redact the below information in your submission.

• Personally Identifiable Information
• Cardholder data, that includes card details

‍

Rewards

‍Critical Risk: $150 & Hall of Fame
Examples: Remote code execution, unrestricted access to underlying file systems or databases, or vulnerabilities bypassing significant security controls.

‍High Risk: $100 & Hall of Fame
Examples: Stored XSS, IDOR, etc

‍Medium to Low Risk
Hall of Fame

‍

Reporting Guidelines

When you report a vulnerability to us, please provide the following details in the report:

• Description and potential impact of the vulnerability.
• A detailed description of the steps required to reproduce the vulnerability.
• Where available, a video recording.
• Your preferred name/handle for recognition in our Security researcher hall of fame.

‍

How to Report

Please email security@eventcube.io if you have found any potential vulnerabilities in our product and infrastructure and our security team will acknowledge your submission within 7 days.

‍