Responsible Disclosure Policy

At Humming Minds we take the security of our systems and our services very seriously, and it is our constant effort to make our products secure and keep customer data very safe. We’re committed to protecting our community. If you are a security researcher or expert and believe you’ve identified security-related issues with Humming Minds website or apps, we would appreciate you disclosing it to us responsibly.

How to Report?

If you think you found a valid security vulnerability please submit a detailed description of the issue to us, along with the steps to reproduce it to hummingmindstech@gmail.com

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report.

Our team is committed to addressing all security issues in a responsible and timely manner, and we ask the security community to give us the opportunity to do so. We trust the security community to make every effort to protect our users’ data and privacy.

We reserve the right to make changes to this Privacy Policy at any time. Any such modification will become effective immediately upon Humming Minds posting it on the Website and your continued use of the Website will constitute your consent to such modifications. You agree to periodically review the current version of the Privacy Policy posted by Humming Minds.

Disclosure Policy

• 1 Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• 2 Provide us a reasonable amount of time to resolve the issue.

• 3 Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.Only interact with accounts you own or with the explicit permission of the account holder.

• 4 If the Humming Minds Security team has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action.

Program Rules

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• 1 Note that automated tools or scripts are strictly prohibited, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.

• 2 Do not access or modify data without explicit permission of the owner.

• 3 Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.

• 4 Due to complexity and other factors, some vulnerabilities might require longer than even 45 days to remediate.

• 5 Responsibility – Act in good faith not to degrade the performance of our services or the privacy of our users. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of Humming Minds through DoS attacks or spam. We also request you do not use vulnerability testing tools that generate a significant volume of traffic.

• 6 Reproducibility – Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not acted upon.

• 7 Do not test the physical security of Humming Minds offices, employees, equipment, etc.

• 8 Public disclosure of the vulnerability without express consent from organisation is not allowed.

Scope

In-Scope Vulnerabilities

Accepted, in-scope vulnerabilities include, but are not limited to:

• 1 Disclosure of sensitive or personally identifiable information

• 2 Cross-Site Scripting (XSS)

• 3 Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

• 4 Server-side or remote code execution (RCE)

• 5 Authentication or authorization flaws, including insecure direct object references and authentication bypass

• 6 Injection vulnerabilities, including SQL and XML injection

• 7 Directory traversal

• 8 Significant security misconfiguration with a verifiable vulnerability

• 9 Exposed credentials, disclosed byHumming Minds or its employees, that pose a valid risk to an in scope asset

• 10 Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)

• 11 Ability to book Humming Minds services for free

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:

• 1 Any physical attacks against Humming Minds property or data centers

• 2 Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account

• 3 Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)

• 4 Scanner output or scanner-generated reports, including any automated or active exploit tool

• 5 Attacks involving payment fraud, theft, or malicious merchant accounts

• 6 Man-in-the-Middle attacks

• 7 Vulnerabilities involving stolen credentials or physical access to a device

• 8 Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)

• 9 Open redirection, except in the following circumstances:

  • 9.1 Clicking a Humming Minds -owned URL immediately results in a redirection, and/or

  • 9.2 A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)

• 10 Host header injections without a specific, demonstrable impact

• 11 Vulnerabilities found through DDoS or spam attacks. If you discover a vulnerability and believe it can cause DoS (for example, a logical flaw or known CVE), please submit it and we will review on a case-by-case basis. Do not attempt or execute DDoS attacks.

• 12 Self-XSS, which includes any payload entered by the victim

• 13 Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls

• 14 Login/logout CSRF

• 15 CSRF on unauthenticated forms or forms with no sensitive actions

• 16 Content spoofing without embedding an external link or JavaScript

• 17 Infrastructure vulnerabilities, including:

• 18 Issues related to SSL certificates

• 19 DNS configuration issues

• 20 Server configuration issues (e.g. open ports, TLS versions, etc.)

• 21 Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer

• 22 Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface

• 23 Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Humming Minds control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)

• 24 Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset

• 25 Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk

• 26 Missing HttpOnly or Secure flags on cookies

• 27 Invalid or missing SPF/DKIM/DMARC records

• 28 Clickjacking on pages with no sensitive actions

• 29 Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

• 30 Any other submission determined to be lowrisk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact

• 31 Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

• 32 Exposure of non-sensitive data on the device

• 33 Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device

Out-of-Scope vulnerabilities for android/ios

• 1 Exploits reproducible only on rooted/jailbroken devices

• 2 Absence of certificate pinning

• 3 Snapshot/Pasteboard/Clipboard data leakage

• 4 Lack of obfuscation

• 5 Exploits using runtime changes

• 6 Application crashes

• 7 Irrelevant activities/intents exported

• 8 Android backup vulnerability

Bug Submission Requirements

Required Information

For all submissions, please include:

• 1 Full description of the vulnerability being reported, including the exploitability and impact

• 2 Evidence and explanation of all steps required to reproduce the submission, which may include:

  • 2.1 Videos

  • 2.2 Screenshots

  • 2.3 Exploit code

  • 2.4 Traffic logs

  • 2.5 Web/API requests and responses

  • 2.6 Mobile Number or user ID of any test accounts

  • 2.7 IP address used during testing

• 3 For RCE submissions, see below

• 4 Failure to include any of the above items may delay in the response time.

RCE Submission Guidelines

Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment:

• 1 Source IP address

• 2 Timestamp, including time zone

• 3 Full server request and responses

• 4 Filenames of any uploaded files, which must include “bugbounty” and the timestamp

• 5 Callback IP and port, if applicable

• 6 Any data that was accessed, either deliberately or inadvertently

• 7 Allowed Actions:

  • 7.1 Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)

  • 7.2 Uploading a file that outputs the result of a hard-coded benign command

• 8 Prohibited Actions:

  • 8.1 Uploading files that allow arbitrary commands (i.e. a webshell)

  • 8.2 Modifying any files or data, including permissions

  • 8.3 Deleting any files or data

  • 8.4 Interrupting normal operations (e.g. triggering a reboot)

  • 8.5 Creating and maintaining a persistent connection to the server

  • 8.6 Intentionally viewing any files or data beyond what is needed to prove the vulnerability

  • 8.7 Failing to disclose any actions taken or applicable required information

​