Vulnerability Disclosure Policy
Intro
This Vulnerability Disclosure Policy (VDP) applies to any vulnerabilities you consider reporting to Worksection. Please read this VDP fully before you report a vulnerability, and always act in compliance with it.
We highly appreciate individuals who dedicate their time and efforts to responsibly disclose security vulnerabilities in accordance with this policy. We appreciate researchers assisting us in our security efforts and extend our gratitude in advance for your submission and discretion.
Your testing must not violate any law or disrupt or compromise any data that is not your own. If you find a potential vulnerability that allows access to restricted data or resources, you should notify us immediately — do not continue to investigate the vulnerability yourself.
Scope
This policy applies to the following domain: https://worksection.com/
Guidance
While we highly encourage responsible vulnerability discovery and reporting, certain actions are strictly prohibited. Please refrain from engaging in the following activities:
- Performing actions that may have a negative impact on the Company or its users, such as spamming, conducting brute force attacks, or launching Denial of Service attacks. Similarly, avoid any tests that may impair system access or cause damage to data.
- Accessing or attempting to access any data or information that does not belong to you. It is important to respect the boundaries of authorized access.
- Destroying, corrupting, or attempting to destroy or corrupt any data or information that does not belong to you. Safeguard the integrity and confidentiality of data.
- Utilizing high-intensity invasive or destructive scanning tools for the purpose of identifying vulnerabilities. Such tools should not be employed as they may cause undue disruption.
- Engaging in physical testing, including attempting office access, exploiting open doors, or tailgating. Social engineering techniques, such as phishing or vishing, are also prohibited. Focus solely on technical vulnerability testing.
- Conducting social engineering activities targeting the Company’s team members, contractors, or users. Respect the privacy and trust of individuals associated with our organization.
- Violating any laws or breaching agreements in your pursuit of discovering vulnerabilities. Adhere to legal and ethical boundaries throughout the process.
By adhering to these guidelines, you ensure that your vulnerability discovery activities are conducted in a responsible and lawful manner.
Exclusions from the scope
The following findings are specifically non-rewardable within this program:
- Disclosure of known public files or directories (e.g., robots.txt)
- Clickjacking and certain issues only exploitable through clickjacking
- Logout Cross-Site Request Forgery (logout CSRF)
- Weak captcha
- Lack of Secure and HTTPOnly cookie flags
- Misconfigured or lack of SPF/DKIM records
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Missing HTTP security headers, e.g.: Strict-Transport-Security, X‑Frame-Options, X‑XSS-Protection, X‑Content-Type-Options, Content-Security-Policy, X‑Content-Security-Policy, X‑WebKit-CSP, Content-Security-Policy-Report-Only
- Out-of-date software versions
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraudulent activities
- Self-XSS that cannot be used to exploit other users
- Vulnerabilities in third-party components
- Bugs that require exceedingly unlikely user interaction
- Content spoofing and text injection issues without a real attack vector and/or without being able to modify HTML
- Subdomain takeover without a proof of concept
- Domain squatting or any other domain speculations
- Vulnerabilities that require physical access to a user’s device
- Vulnerability reports that are generated by scanners or any automated or active exploit tools
- Vulnerabilities involving active content, such as web browser add-ons
- Denial of service (DoS/DDoS) and spamming (SMS, email, etc.)
- Most brute-forcing issues without any clear impact
- Publicly accessible login panels without proof of exploitation
- Disclosure of public user information, as well as non-sensitive and moderately sensitive information
Reporting a vulnerability
If you have discovered a potential security vulnerability on our platform, we kindly request that you report it directly to the Company’s security team via email at security@worksection.ua. This ensures that your report reaches us promptly, enabling us to respond more effectively. Please refrain from sending the report to our general email address or through the support chat.
To maintain the confidentiality of the vulnerability, we ask that you avoid filing a public issue or discussing it on social media platforms such as Twitter or GitHub. We appreciate your cooperation in keeping the communication regarding the vulnerability confidential between you and our team. Please refrain from sharing your reports or any evidence with other users or companies.
When submitting a vulnerability report, please ensure that it includes the following essential information:
- Clear and relevant title. Provide a concise and descriptive title that accurately reflects the nature of the vulnerability.
- Affected service/API. Clearly indicate the specific service or API that is affected by the vulnerability. This helps us to quickly understand the scope of the issue.
- Vulnerability details and impact. Thoroughly explain the vulnerability, including its technical details and potential impact on our systems or users. Provide sufficient information to help us understand the nature and severity of the vulnerability.
- Steps to reproduce / Proof of Concept. Include detailed instructions on how to reproduce the vulnerability, preferably accompanied by a Proof of Concept (PoC). The PoC can be in various forms such as a video demonstration, screenshots from tools like Burp Suite, curl commands, or relevant code snippets. These materials help us verify and understand the vulnerability better.
- Any other important details. Feel free to include any additional information that you believe is relevant or helpful for our understanding of the vulnerability. This can include system configurations, relevant logs, or any other supporting documentation that can aid in the resolution process.
By providing a comprehensive report that includes these elements, you greatly assist us in efficiently assessing and addressing the reported vulnerability.
What happens after reporting a vulnerability
After you have submitted your report, we will analyze it in terms of impact, severity, and exploitation complexity. If we consider it relevant, we will respond to you within fifteen (15) working days. We will keep you informed of our progress.
Once the reported vulnerability is remediated, we will notify you, and you may be invited to confirm that the solution adequately covers the vulnerability. We welcome requests to disclose your report once your vulnerability has been resolved. However, please refrain from sharing information about any discovered vulnerabilities for 90 calendar days after receiving our confirmation of receiving your report.
Rewards
We typically do not offer any cash rewards for submissions. However, we might make an exception in the case of valid critical bugs and high-quality reports. The reward amount will be determined based on the maximum impact of the vulnerability. Reports that are well-written and deemed useful have a greater chance of being considered for a reward.
Please note that only the first individual to report a previously unknown flaw will qualify for a reward.