[{"id":3773342,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **Sensitive Information Disclosure**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COOP**: Cross-Origin Opener Policy issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COEP**: Cross-Origin Embedder Policy issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n\n\n\n---\n\n\n## 🌉 Web3 / Smart Contracts Scope\n\nRipio's Web3 program covers the WFIAT wrapped-fiat stablecoin contracts (wARS, wMXN, wBRL, wCOP, wCLP, wPEN, USDar), the LimitedMinter contracts, and the associated cross-chain bridge infrastructure. Only the addresses listed in the table below are in scope. Any other contract deployed by Ripio and not included here is considered out of scope.\n\n**Important — Upgradable Contracts**: WFIAT token contracts are upgradable and use the `UPGRADER_ROLE` access-control role. \"In scope\" refers to the **current implementation** deployed to the proxy addresses listed below. Vulnerabilities found in prior implementations that have already been upgraded out are **not eligible** for a reward. Researchers should verify the implementation currently pointed to by each proxy at submission time.\n\n### Canonical WFIAT Contract Addresses\n\nAll WFIAT token contracts share the same address across chains (CREATE2 deployment). Verify each contract on the block explorer corresponding to the target network.\n\n**Token Contracts (same address across all listed chains)**\n\n| Contract | Address | Chains |\n|----------|---------|--------|\n| wARS — Peso Argentino | `0x0DC4F92879B7670e5f4e4e6e3c801D229129D90D` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| wMXN — Peso Mexicano | `0x337E7456B420bD3481e7FA61fA9850343d610d34` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| wBRL — Real Brasileño | `0xD76f5Faf6888e24D9F04Bf92a0c8B921FE4390e0` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| wCOP — Peso Colombiano | `0x8a1D45e102e886510e891d2Ec656a708991e2D76` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| wCLP — Peso Chileno | `0x61D450a098b6a7f69fC4b98CE68198fe59768651` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| wPEN — Sol Peruano | `0x4F34c8b3b5FB6D98Da888F0feA543d4d9C9F2eBE` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| USDar — Dólar Austral | `0xdcC340132740AD57E9Fc90C9BD08B00dBbc87986` | Ethereum only |\n\n**Cross-Chain Bridge Infrastructure (same address across all listed chains)**\n\n| Contract | Address | Chains |\n|----------|---------|--------|\n| BridgeDeposit | `0x465e642387d3d73a57CDc1368fFA53A800bA5D47` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n| LimitedMinterBridge | `0x46167cB034feC6ceC46CaeD4f61281f5Aa0Eb0e6` | Ethereum, Base, Polygon, BSC, Gnosis, World Chain |\n\n**LimitedMinter (address varies by chain)**\n\n| Address | Chains |\n|---------|--------|\n| `0xD168CFbBE260D48cd119497a9a2eE8482080C5E7` | Ethereum, Gnosis, BSC, Polygon |\n| `0xf469eC9dEBf7F0adEBA4d1Db2FF5c70707bEeB30` | Base |\n| `0xDe7Ec97CFDeE9F20f9d256F4a0A0d694479fa2E0` | World Chain |\n\n**Chain IDs (EIP-155)**: Ethereum `1` · Base `8453` · World Chain `480` · Gnosis `100` · BNB Smart Chain `56` · Polygon `137`\n\n### Ripio Web3 Severity \u0026 Reward Schedule\n\nRewards for Web3 findings are determined by the business and financial impact of the vulnerability, evaluated by Ripio on a case-by-case basis. The schedule below represents maximum rewards; the final amount depends on exploit feasibility, proof-of-concept quality, and the scope of affected users or funds.\n\n| Severity | Smart Contracts | Web / dApp |\n|----------|-----------------|------------|\n| Critical | up to $25,000   | up to $10,000 |\n| High     | up to $5,000    | up to $2,500  |\n| Medium   | up to $1,000    | up to $500    |\n| Low      | Swag / recognition | Swag / recognition |\n\n### ✅ Qualifying Web3 Vulnerabilities\n\nSeverity is assigned by **demonstrated impact**, not by vulnerability class.\n\n**Critical (Smart Contracts)**\n- Direct theft of user funds held by the contract, whether at rest or in transit\n- Unauthorized minting of WFIAT tokens beyond the intended supply mechanism or beyond the daily limits enforced by the LimitedMinter\n- Unauthorized burning of another user's token balance\n- Permanent freezing of user funds with no admin recovery path\n- Protocol insolvency or accounting errors resulting in value loss for users\n- Bypass of access controls (`DEFAULT_ADMIN_ROLE`, `MINTER_ROLE`, `PAUSER_ROLE`, `UPGRADER_ROLE`) leading to any of the above\n- Cross-chain bridge exploits resulting in double-minting, theft of deposits, or unauthorized withdrawal\n\n**High (Smart Contracts)**\n- Theft or permanent freezing of protocol-owned funds\n- Temporary freezing of user funds for a material duration (\u003e 1 hour)\n- Bypass of access controls without direct fund impact (e.g., executing admin-only configuration changes)\n\n**Medium (Smart Contracts)**\n- Griefing attacks with demonstrable damage to users or the protocol but no profit motive for the attacker\n- Unbounded gas consumption reachable by arbitrary callers\n- Theft of gas or forced-transaction revert denial-of-service\n\n**Low (Smart Contracts)**\n- Edge cases where the contract fails to deliver expected behavior without direct value loss\n\n**Web / dApp — `bridge.ripio.com`**\n- **Critical**: arbitrary transaction signing from connected wallets without user consent; mass account takeover; exfiltration of private keys or seed phrases\n- **High**: execution of arbitrary JavaScript in the dApp origin with account-takeover impact; subdomain takeover chained to wallet interaction\n- **Medium**: CSRF or authenticated state-changing flaws with limited impact; sensitive data disclosure (non-secret but material)\n\n### 🚫 Web3-Specific Hard Exclusions\n\nIn addition to the program-wide exclusions, the following are considered **N/A by default** for Web3 assets:\n\n**Smart Contracts**\n- Issues documented in any audit report attached to this program — findings Ripio has accepted as residual risk are not eligible\n- **Centralization risks** inherent to the design: admin keys, pausable roles, upgradable proxies, mint/burn permissions held by privileged accounts, and multisig-controlled operations are **accepted design choices**\n- Gas optimization suggestions with no security impact\n- Best-practice violations without a demonstrated exploit (missing events, floating pragma, naming conventions, unused code)\n- Compiler bugs in mainstream Solidity versions\n- **MEV, frontrunning, and sandwich attacks** — these are inherent to public blockchains and are not considered vulnerabilities\n- User-configurable slippage losses\n- Oracle price deviations within the tolerance thresholds documented by the oracle provider\n- Theoretical reentrancy without a working PoC exploiting actual state changes\n- Attacks requiring compromised admin or multisig keys — key compromise is a governance matter, not a smart-contract vulnerability\n- Bugs in third-party libraries (OpenZeppelin contracts, standard token implementations) unless Ripio's specific integration or customization introduces the vulnerability\n\n**Web / dApp**\n- Issues caused by the user's wallet provider (MetaMask, WalletConnect, Ledger, etc.)\n- Lookalike or phishing domains — report to the domain registrar / provider\n- Frontend-only issues (missing headers, cosmetic UI) without on-chain or wallet impact\n\n### 🧪 Web3 Testing Rules\n\n- **No testing on mainnet or public testnets is permitted.** All proofs of concept must be reproducible on a **local fork** using tools such as Foundry, Hardhat, Anvil, or Tenderly.\n- Flash-loan simulations are allowed on local forks.\n- Do not interact with production contracts in ways that could affect real user funds or protocol state. Do not attempt to front-run, extract value from, or manipulate production; such activities are considered attacks, not research, and fall outside Safe Harbor.\n- **A runnable PoC is mandatory** for all Web3 submissions (Foundry test, Hardhat script, or equivalent). Reports without a working PoC will be closed as Not Applicable.\n- **PoCs must include: affected contract and function references, the exploit transaction sequence, and the on-chain state changes demonstrating impact.** ⭐️\n\n### 💰 Payout Conditions\n\n- Payouts are processed via HackerOne in USD.\n- KYC may be required for payouts exceeding $500, following HackerOne's standard flow.\n- Vulnerabilities previously documented in audit reports attached to this program — whether fixed, in progress, or accepted as residual risk — are not eligible for a reward.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-29T14:05:56.445Z"},{"id":3770673,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **Sensitive Information Disclosure**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COOP**: Cross-Origin Opener Policy issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COEP**: Cross-Origin Embedder Policy issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-06T18:19:53.739Z"},{"id":3770672,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **Sensitive Information Disclsoure**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COOP**: Cross-Origin Opener Policy issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COEP**: Cross-Origin Embedder Policy issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-06T18:17:58.872Z"},{"id":3767825,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **PII (Profile Info)**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COOP**: Cross-Origin Opener Policy issues without a working PoC demonstrating sensitive data exfiltration.\n*   **COEP**: Cross-Origin Embedder Policy issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-29T14:25:55.339Z"},{"id":3767011,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **PII (Profile Info)**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### 1. Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### 2. Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### 1. XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### 2. Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-05T14:09:08.637Z"},{"id":3766989,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n* **Target User**: `ripiotestuser1@gmail.com`\n* **Password**: `Sup3rs3cr3t!`\n* **Required Proof**: You must demonstrate access to **PII (Profile Info)**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n* **Security Controls**: 2FA is ENABLED. You must bypass it.\n* **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n* **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n* **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n* **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n* **Biometric Bypass**: Bypassing local authentication mechanisms.\n* **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n* **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n* **KYC Bypass**: Circumventing identity verification processes to access restricted features.\n* **Broken Access Control**: IDOR, Privilege Escalation.\n* **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### 1. Attack Vector Constraints\n* **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n* **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n* **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n* **Brute Force**: Repetitive automated attempts against authentication endpoints.\n* **User Enumeration**: User enumeration vulnerabilities (e.g., distinct error messages) without a direct exploit vector.\n* **Session Management**: Issues relating to the user session lifetime (e.g., lack of timeout) or Unauthenticated/Logout CSRF.\n* **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### 2. Infrastructure \u0026 Configuration\n* **Domain \u0026 Infrastructure**: Subdomain Takeover, Dangling DNS, or Git Takeover without proven impact.\n* **Exposed Keys without Impact**: API keys or credentials found in code/history that do not grant access to sensitive data or critical infrastructure.\n* **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n* **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n* **Information Disclosure (Low Impact)**:\n    * Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    * Server banner grabbing / Version disclosure.\n    * Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n* **Injection (Low Impact)**: HTML Injection or CSV Injection without demonstrable security impact.\n* **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### 1. XSS \u0026 Client-Side Attacks\n* **Reflected XSS**:\n    * **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    * **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n* **Self-XSS**:\n    * **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    * **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n* **Clickjacking**:\n    * **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    * **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n* **Cookie Flags**:\n    * **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    * **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### 2. Mobile \u0026 Native Apps\n* **Obfuscation / Binary Protection**:\n    * **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    * **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n* **SSL Pinning / Root Detection**:\n    * **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    * **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n* **Local Data Leaks (Snapshots/Pasteboard)**:\n    * **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    * **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n* **Tapjacking / Overlay Attacks**:\n    * **Rule**: **N/A** by default.\n    * **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n* **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n* **Accounts**: Use your `@wearehackerone.com` alias.\n* **Unrelated Issues vs. Exploit Chains**:\n    * Do not group **unrelated** vulnerabilities in a single report.\n    * **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n* **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n\n## 🔒 Private Program Disclosure Policy\n* **Private Program**: This is a **Private Program**. Do not discuss this program or any vulnerabilities (resolved or unresolved) outside of HackerOne without express written consent from Ripio. \n* **Strict Confidentiality**: We do not strictly adhere to public coordinated disclosure timelines for this private engagement.\n* **Violation**: Public disclosure without consent may result in removal from the program.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-04T14:22:25.325Z"},{"id":3766966,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **PII (Profile Info)**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n**📱 Mobile Specific**\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n**🌐 Web \u0026 API**\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n**1. Attack Vector Constraints**\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n**2. Infrastructure \u0026 Configuration**\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n**1. XSS \u0026 Client-Side Attacks**\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n**2. Mobile \u0026 Native Apps**\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-03T21:27:13.818Z"},{"id":3766965,"new_policy":"# Ripio HackerOne Program - Scope \u0026 Exclusions Policy (Logic-Based)\n\nTo ensure clear communication and efficient triage, we have defined our scope using strict logic-based rules. Please review these exclusions carefully before submitting.\n\n## 🏆 ATO Challenge (Special Bounty: $6,000)\n**Objective**: Demonstrate a full Account Takeover by bypassing authentication mechanisms, **specifically bypassing 2FA**, to obtain a valid user session and **perform a critical action**.\n*   **Target User**: `ripiotestuser1@gmail.com`\n*   **Password**: `Sup3rs3cr3t!`\n*   **Required Proof**: You must demonstrate access to **PII (Profile Info)**, **Wallet Balance**, or perform a **Minimal Transfer**. Merely logging in is not enough if the session is restricted.\n*   **Security Controls**: 2FA is ENABLED. You must bypass it.\n*   **Constraint**: The email provider itself (`@gmail.com`) is **Out-of-Scope**. Do not attempt to compromise the Google account to read codes.\n*   **Prohibited**: Brute force attacks and Social Engineering are strictly prohibited.\n\n---\n\n## ✅ Qualifying Vulnerabilities (Focus Areas)\n*While we welcome all valid security vulnerabilities, we are specifically interested in:*\n\n### 📱 Mobile Specific\n*   **Insecure Data Storage**: Sensitive data (PII, Credentials) stored in plain text (SharedPrefs, SQLite, External Storage).\n*   **Deep Link / Intent Hijacking**: Malicious intents leading to Account Takeover or Sensitive Action execution.\n*   **Biometric Bypass**: Bypassing local authentication mechanisms.\n*   **Hardcoded Secrets**: Valid API Keys or Credentials found in the binary (must be verified).\n\n### 🌐 Web \u0026 API\n*   **Business Logic Errors**: Payment manipulation, unauthorized transfers.\n*   **Broken Access Control**: IDOR, Privilege Escalation.\n*   **Injection**: SQLi, RCE.\n\n---\n\n## 🚫 Hard Exclusions (Auto-Close Rules)\n*Reports falling into these categories will be closed as **N/A (Not Applicable)** immediately. We do not accept theoretical arguments for these issues.*\n\n### 1. Attack Vector Constraints\n*   **Physical \u0026 Local Access**: Any attack requiring physical access to the victim's device or access to the victim's local network (e.g., MITM, local malware, self-installed certificates).\n*   **Social Engineering**: Phishing, Vishing, Smishing, or any attack relying on deceiving employees or users.\n*   **Denial of Service (DoS/DDoS)**: Any activity that disrupts, degrades, or interrupts service availability.\n*   **Brute Force**: Repetitive automated attempts against authentication endpoints.\n*   **Third-Party Flaws**: Vulnerabilities in 3rd party providers or integrations, unless they directly compromise Ripio data/infrastructure.\n\n### 2. Infrastructure \u0026 Configuration\n*   **SSL/TLS Configuration**: Missing security headers (HSTS, HPKP), weak ciphers, or certificate issues.\n*   **Email Security Records**: Missing or incomplete SPF, DMARC, or DKIM records.\n*   **Information Disclosure (Low Impact)**:\n    *   Verbose error messages or stack traces (unless they contain sensitive PII/Credentials).\n    *   Server banner grabbing / Version disclosure.\n    *   Publicly accessible files (robots.txt, readme.md, WordPress files) without sensitive data.\n*   **CORS**: Cross-Origin Resource Sharing issues without a working PoC demonstrating sensitive data exfiltration.\n\n---\n\n## ⚠️ Conditional Exclusions (Proof Required)\n*These issues are considered N/A **UNLESS** the specific condition described below is met and demonstrated in the Proof of Concept.*\n\n### 1. XSS \u0026 Client-Side Attacks\n*   **Reflected XSS**:\n    *   **Rule**: **Conditional Exclusion**. Reports showing only `alert(1)` or non-sensitive DOM manipulation are **N/A**.\n    *   **Exception**: Valid **ONLY** if you demonstrate **Account Takeover** or **Sensitive Action Execution** via a clickable link or iframe (e.g., stealing a session token, bypassing CSRF to change email). The impact must be proven, not theoretical.\n*   **Self-XSS**:\n    *   **Rule**: **Out-of-Scope** if it requires the user to paste code into the console or address bar.\n    *   **Exception**: Valid ONLY if chained with another vulnerability (e.g., CSRF) to execute without user self-sabotage.\n*   **Clickjacking**:\n    *   **Rule**: Strictly **Out-of-Scope** on pages without sensitive state-changing actions (e.g., Login, Logout, Static Content).\n    *   **Exception**: Valid ONLY if you demonstrate a critical state change (e.g., Transfer Funds, Delete Account, Authorize App).\n*   **Cookie Flags**:\n    *   **Rule**: Missing `Secure` or `HttpOnly` flags are N/A.\n    *   **Exception**: Valid ONLY if you provide a working PoC that exploits this specific lack of protection.\n\n### 2. Mobile \u0026 Native Apps\n*   **Obfuscation / Binary Protection**:\n    *   **Rule**: Lack of obfuscation, anti-debugging, or binary protection is **N/A**.\n    *   **Exception**: Valid ONLY if you can reverse engineer hardcoded secrets (API Keys, Credentials) that grant unauthorized access.\n*   **SSL Pinning / Root Detection**:\n    *   **Rule**: Bypassing client-side controls (Pinning, Root/Jailbreak detection) on your own device is **N/A**.\n    *   **Exception**: Valid ONLY if the bypass allows server-side exploitation that affects other users.\n*   **Local Data Leaks (Snapshots/Pasteboard)**:\n    *   **Rule**: Application snapshots or keyboard cache/pasteboard leakage are **N/A**.\n    *   **Exception**: Valid ONLY if it exposes high-impact sensitive data (e.g., Credit Card numbers, Passwords) in a shared context.\n*   **Tapjacking / Overlay Attacks**:\n    *   **Rule**: **N/A** by default.\n    *   **Exception**: Valid ONLY if on a critical sensitive action (e.g., Confirm Transfer) with no other confirmation step.\n\n---\n\n## 🧪 Test Plan \u0026 Rules\n*   **Header**: Include `X-H1-traffic: \u003cusername\u003e` in all requests.\n*   **Accounts**: Use your `@wearehackerone.com` alias.\n*   **Unrelated Issues vs. Exploit Chains**:\n    *   Do not group **unrelated** vulnerabilities in a single report.\n    *   **Exception**: You MUST chain vulnerabilities if necessary to demonstrate impact (e.g., chaining Self-XSS with CSRF). This is considered a single \"Exploit Chain\".\n*   **Safe Harbor**: Activities conducted consistent with this policy are authorized. We will not initiate legal action against you.\n\n\n## 🤐 Disclosure Policy\n*   **Default**: This program follows HackerOne's **Coordinated Disclosure Policy**.\n*   **Public Disclosure**: We generally agree to public disclosure **after a fix has been deployed and verified**.\n*   **Mutual Agreement**: Requests for disclosure will be reviewed on a case-by-case basis. Do not disclose any details publicly without our explicit written consent.\n\n## 📝 Submission Quality Standards\nTo help us validate your report faster:\n1.  **Structured Steps**: Use the numbered steps in the submission form. Do not write paragraphs.\n2.  **Video PoC**: Highly recommended for complex UI bugs.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-03T21:23:30.167Z"},{"id":3762258,"new_policy":"\n| ATO Challenge              | Information |\n|-------------------|---------------|\n| User:    | ripiotestuser1@gmail.com|\n| Password   | Sup3rs3cr3t!  |\n\nTo obtain the special bounty, you must demonstrate the ability to obtain a user session with the data provided and perform a critical action in the platform. Brute force attacks are strictly prohibited.\nEspecial bounty reward: $6.000\nNOTE: the email (@gmail.com) is out of scope. Do not try to login in the google account.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the issue quickly.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n\n# Test Plan\n*Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: \u003cusername\u003e\n*Use your @wearehackerone.com email alias to register for accounts.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, no chain vulnerabilities.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Any vulnerability reports on Ripio integration with third parties will not be applicable for reward.\n\nE-mail: redteam@ripio.com\n\n#Risk Acceptance\nWhile Ripio strives to address all reported vulnerabilities, we recognize that not all issues can be fixed immediately or may be considered acceptable risks due to their low impact on our security posture. In such cases:\n\nWe will transparently communicate our risk acceptance decision, including the rationale behind not addressing the vulnerability at this time.\nWe encourage researchers to provide as much detail as possible about the potential impact to help us accurately assess the risk.\nAccepted risks will be periodically reviewed to ensure our security posture remains aligned with our business objectives and the evolving threat landscape.\nWe value your contributions and aim to collaborate closely with researchers to effectively understand and mitigate security risks. \n\n# Qualifying Vulnerabilities\nExamples of vulnerabilities Ripio is interested in receiving:\n\n* Authentication flaws.\n* KYC Bypass.\n* Cross-site scripting (Stored, DOM).\n* SQL Injection.\n* Cross-site request forgery.\n* Server Side Request Forgery.\n* Server-side code execution.\n* Privilege Escalation.\n* Business logic abuse with clear impact.\n* IDOR.\n* XML External Entity injection.\n* Remote File Inclusion.\n* Unvalidated Redirects and Forwards.\n\n# Restrictions\n* Massive automatic scanning is not allowed. Please do creative testing.\n* If you significantly degrade our service, you risk a program ban.\n* No DoS - Our cloud providers prohibit this activity.\n* Participation in this program is prohibited for internal employees.\n\n# Non-Qualifying Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n* Reflected-XSS and issues exploitable only through Self-XSS.\n* Subdomain take over or Git take over.\n* Broken links / Social media take over.\n* Clickjacking.\n* Social engineering attacks.\n* Issues related to credentials or information disclosure in public sources such as Trello, GitHub, Wayback, etc.\n* Attacks requiring MITM, physical access or privileged access to a user device\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Spamming.\n* Vulnerabilities in 3rd party or vulnerabilities in ripio's providers\n* Unauthenticated/logout CSRF.\n* Brute force issues\n* Cross-Origin Resource Sharing (CORS).\n* User enumeration vulnerabilities.\n* Password complexity requirements.\n* Reports from automated tools or scans (without accompanying demonstration of exploitability).\n* HTML injection issues.\n* Cookies Flags  and security headers(e.g.: missing the Secure or HttpOnly flags).\n* Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).\n* Lack of rate-limiting.\n* Disclosure of known public files or directories, (e.g: robots.txt,readme.html, WordPress, etc).\n* Obfuscated Code on native apps.\n* Issues relating to the user session or the lifetime of the user session.\n* Exposed third-party keys.\n* Exposed keys whose impact cannot be demonstrated.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Suppose legal action is initiated by a third party against you in connection with activities conducted under this policy. In that case, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-03T12:54:52.781Z"},{"id":3762257,"new_policy":"\n| ATO Challenge              | Information |\n|-------------------|---------------|\n| User:    | ripiotestuser1@gmail.com|\n| Password   | Sup3rs3cr3t!  |\n\nTo obtain the special bounty, you must demonstrate the ability to obtain a user session with the data provided and perform a critical action in the platform. Brute force attacks are strictly prohibited.\nEspecial bounty reward: $6.000\nNOTE: the email (@gmail.com) is out of scope. Do not try to login in the google account.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the issue quickly.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n\n# Test Plan\n*Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: \u003cusername\u003e\n*Use your @wearehackerone.com email alias to register for accounts.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, no chain vulnerabilities.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Any vulnerability reports on Ripio integration with third parties will not be applicable for reward.\n\nE-mail: redteam@ripio.com\n\n#Risk Acceptance\nWhile Ripio strives to address all reported vulnerabilities, we recognize that not all issues can be fixed immediately or may be considered acceptable risks due to their low impact on our security posture. In such cases:\n\nWe will transparently communicate our risk acceptance decision, including the rationale behind not addressing the vulnerability at this time.\nWe encourage researchers to provide as much detail as possible about the potential impact to help us accurately assess the risk.\nAccepted risks will be periodically reviewed to ensure our security posture remains aligned with our business objectives and the evolving threat landscape.\nWe value your contributions and aim to collaborate closely with researchers to effectively understand and mitigate security risks. \n\n# Qualifying Vulnerabilities\nExamples of vulnerabilities Ripio is interested in receiving:\n\n* Authentication flaws.\n* KYC Bypass.\n* Cross-site scripting (Stored, DOM).\n* SQL Injection.\n* Cross-site request forgery.\n* Server Side Request Forgery.\n* Server-side code execution.\n* Privilege Escalation.\n* Business logic abuse with clear impact.\n* IDOR.\n* XML External Entity injection.\n* Remote File Inclusion.\n* Unvalidated Redirects and Forwards.\n\n# Restrictions\n* Massive automatic scanning is not allowed. Please do creative testing.\n* If you significantly degrade our service, you risk a program ban.\n* No DoS - Our cloud providers prohibit this activity.\n* Participation in this program is prohibited for internal employees.\n\n# Non-Qualifying Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n* Reflected-XSS and issues exploitable only through Self-XSS.\n* Subdomain take over or Git take over.\n* Broken links / Social media take over.\n* Clickjacking.\n* Social engineering attacks.\n* Issues related to credentials or information disclosure in public sources such as Trello, GitHub, Wayback, etc.\n* Attacks requiring MITM, physical access or privileged access to a user device\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Spamming.\n* Vulnerabilities in 3rd party or vulnerabilities in ripio's providers\n* Unauthenticated/logout CSRF.\n* Brute force issues\n* Cross-Origin Resource Sharing (CORS).\n* User enumeration vulnerabilities.\n* Password complexity requirements.\n* Reports from automated tools or scans (without accompanying demonstration of exploitability).\n* HTML injection issues.\n* Cookies Flags  and security headers(e.g.: missing the Secure or HttpOnly flags).\n* Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).\n* Lack of rate-limiting.\n* Disclosure of known public files or directories, (e.g: robots.txt,readme.html, WordPress, etc).\n* Obfuscated Code on native apps.\n* Issues relating to the user session or the lifetime of the user session\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Suppose legal action is initiated by a third party against you in connection with activities conducted under this policy. In that case, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-03T12:51:38.497Z"},{"id":3761935,"new_policy":"\n| ATO Challenge              | Information |\n|-------------------|---------------|\n| User:    | ripiotestuser1@gmail.com|\n| Password   | Sup3rs3cr3t!  |\n\nTo obtain the special bounty, you must demonstrate the ability to obtain a user session with the data provided and perform a critical action in the platform. Brute force attacks are strictly prohibited.\nEspecial bounty reward: $6.000\nNOTE: the email (@gmail.com) is out of scope. Do not try to login in the google account.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the issue quickly.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n\n# Test Plan\n*Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: \u003cusername\u003e\n*Use your @wearehackerone.com email alias to register for accounts.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, no chain vulnerabilities.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Any vulnerability reports on Ripio integration with third parties will not be applicable for reward.\n\nE-mail: redteam@ripio.com\n\n#Risk Acceptance\nWhile Ripio strives to address all reported vulnerabilities, we recognize that not all issues can be fixed immediately or may be considered acceptable risks due to their low impact on our security posture. In such cases:\n\nWe will transparently communicate our risk acceptance decision, including the rationale behind not addressing the vulnerability at this time.\nWe encourage researchers to provide as much detail as possible about the potential impact to help us accurately assess the risk.\nAccepted risks will be periodically reviewed to ensure our security posture remains aligned with our business objectives and the evolving threat landscape.\nWe value your contributions and aim to collaborate closely with researchers to effectively understand and mitigate security risks. \n\n# Qualifying Vulnerabilities\nExamples of vulnerabilities Ripio is interested in receiving:\n\n* Authentication flaws.\n* KYC Bypass.\n* Cross-site scripting (Stored, DOM).\n* SQL Injection.\n* Cross-site request forgery.\n* Server Side Request Forgery.\n* Server-side code execution.\n* Privilege Escalation.\n* Business logic abuse with clear impact.\n* IDOR.\n* XML External Entity injection.\n* Remote File Inclusion.\n* Unvalidated Redirects and Forwards.\n\n# Restrictions\n* Massive automatic scanning is not allowed. Please do creative testing.\n* If you significantly degrade our service, you risk a program ban.\n* No DoS - Our cloud providers prohibit this activity.\n* Participation in this program is prohibited for internal employees.\n\n# Non-Qualifying Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n* Reflected-XSS and issues exploitable only through Self-XSS.\n* Subdomain take over or Git take over.\n* Broken links / Social media take over.\n* Clickjacking.\n* Social engineering attacks.\n* Issues related to credentials or information disclosure in public sources such as Trello, GitHub, Wayback, etc.\n* Attacks requiring MITM, physical access or privileged access to a user device\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Spamming.\n* Vulnerabilities in 3rd party or vulnerabilities in ripio's providers\n* Unauthenticated/logout CSRF.\n* Brute force issues\n* Cross-Origin Resource Sharing (CORS).\n* User enumeration vulnerabilities.\n* Password complexity requirements.\n* Reports from automated tools or scans (without accompanying demonstration of exploitability).\n* HTML injection issues.\n* Cookies Flags  and security headers(e.g.: missing the Secure or HttpOnly flags).\n* Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).\n* Lack of rate-limiting.\n* Disclosure of known public files or directories, (e.g: robots.txt,readme.html, WordPress, etc).\n* Obfuscated Code on native apps.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Suppose legal action is initiated by a third party against you in connection with activities conducted under this policy. In that case, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T17:53:33.589Z"},{"id":3761600,"new_policy":"\n| ATO Challenge              | Information |\n|-------------------|---------------|\n| User:    | ripiotestuser1@gmail.com|\n| Password   | Sup3rs3cr3t!  |\n\nTo obtain the special bounty, you must demonstrate the ability to obtain a user session with the data provided and perform a critical action in the platform. Brute force attacks are strictly prohibited.\nEspecial bounty reward: $6.000\nNOTE: the email (@gmail.com) is out of scope. Do not try to login in the google account.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the issue quickly.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n\n# Test Plan\n*Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: \u003cusername\u003e\n*Use your @wearehackerone.com email alias to register for accounts.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Any vulnerability reports on Ripio integration with third parties will not be applicable for reward.\n\nE-mail: redteam@ripio.com\n\n#Risk Acceptance\nWhile Ripio strives to address all reported vulnerabilities, we recognize that not all issues can be fixed immediately or may be considered acceptable risks due to their low impact on our security posture. In such cases:\n\nWe will transparently communicate our risk acceptance decision, including the rationale behind not addressing the vulnerability at this time.\nWe encourage researchers to provide as much detail as possible about the potential impact to help us accurately assess the risk.\nAccepted risks will be periodically reviewed to ensure our security posture remains aligned with our business objectives and the evolving threat landscape.\nWe value your contributions and aim to collaborate closely with researchers to effectively understand and mitigate security risks. \n\n# Qualifying Vulnerabilities\nExamples of vulnerabilities Ripio is interested in receiving:\n\n* Authentication flaws.\n* KYC Bypass.\n* Cross-site scripting (Stored, DOM).\n* SQL Injection.\n* Cross-site request forgery.\n* Server Side Request Forgery.\n* Server-side code execution.\n* Privilege Escalation.\n* Business logic abuse with clear impact.\n* IDOR.\n* XML External Entity injection.\n* Remote File Inclusion.\n* Unvalidated Redirects and Forwards.\n\n# Restrictions\n* Massive automatic scanning is not allowed. Please do creative testing.\n* If you significantly degrade our service, you risk a program ban.\n* No DoS - Our cloud providers prohibit this activity.\n* Participation in this program is prohibited for internal employees.\n\n# Non-Qualifying Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n* Reflected-XSS and issues exploitable only through Self-XSS.\n* Subdomain take over or Git take over.\n* Broken links / Social media take over.\n* Clickjacking.\n* Social engineering attacks.\n* Issues related to credentials or information disclosure in public sources such as Trello, GitHub, Wayback, etc.\n* Attacks requiring MITM, physical access or privileged access to a user device\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Spamming.\n* Vulnerabilities in 3rd party or vulnerabilities in ripio's providers\n* Unauthenticated/logout CSRF.\n* Brute force issues\n* Cross-Origin Resource Sharing (CORS).\n* User enumeration vulnerabilities.\n* Password complexity requirements.\n* Reports from automated tools or scans (without accompanying demonstration of exploitability).\n* HTML injection issues.\n* Cookies Flags  and security headers(e.g.: missing the Secure or HttpOnly flags).\n* Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).\n* Lack of rate-limiting.\n* Disclosure of known public files or directories, (e.g: robots.txt,readme.html, WordPress, etc).\n* Obfuscated Code on native apps.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Suppose legal action is initiated by a third party against you in connection with activities conducted under this policy. In that case, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Ripio’s HackerOne Program! 🎉 We’re thrilled to have you join us on this exciting journey to make Ripio even safer and stronger together! 💪 Your skills, creativity, and dedication are truly valued, and we can’t wait to see what you’ll uncover. Let’s collaborate and make a difference! 🚀\n\nHappy Hunting! 👾👾","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-22T01:33:18.477Z"},{"id":3761596,"new_policy":"\n| ATO Challenge              | Information |\n|-------------------|---------------|\n| User:    | ripiotestuser1@gmail.com|\n| Password   | Sup3rs3cr3t!  |\n\nTo obtain the special bounty, you must demonstrate the ability to obtain a user session with the data provided and perform a critical action in the platform. Brute force attacks are strictly prohibited.\nEspecial bounty reward: $6.000\nNOTE: the email (@gmail.com) is out of scope. Do not try to login in the google account.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to resolve the issue quickly.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.\n\n# Test Plan\n*Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: \u003cusername\u003e\n*Use your @wearehackerone.com email alias to register for accounts.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Any vulnerability reports on Ripio integration with third parties will not be applicable for reward.\n* To avoid a bad reputation and legal inconveniences in the countries where Ripio is operating, we offer a temporary KYC of 2 weeks for a test user that the Hunter may require, after this time you must continue testing with your personal account. If you are from another country where Ripio does not operate, please get in touch with the security team at the following email to request a KYC valid for 2 weeks.\n* Keep in mind that if you report a **valid issue** we will be able to extend KYC validation for another 2 weeks\n\nE-mail: redteam@ripio.com\n\n#Risk Acceptance\nWhile Ripio strives to address all reported vulnerabilities, we recognize that not all issues can be fixed immediately or may be considered acceptable risks due to their low impact on our security posture. In such cases:\n\nWe will transparently communicate our risk acceptance decision, including the rationale behind not addressing the vulnerability at this time.\nWe encourage researchers to provide as much detail as possible about the potential impact to help us accurately assess the risk.\nAccepted risks will be periodically reviewed to ensure our security posture remains aligned with our business objectives and the evolving threat landscape.\nWe value your contributions and aim to collaborate closely with researchers to effectively understand and mitigate security risks. \n\n# Qualifying Vulnerabilities\nExamples of vulnerabilities Ripio is interested in receiving:\n\n* Authentication flaws.\n* KYC Bypass.\n* Cross-site scripting (Stored, DOM).\n* SQL Injection.\n* Cross-site request forgery.\n* Server Side Request Forgery.\n* Server-side code execution.\n* Privilege Escalation.\n* Business logic abuse with clear impact.\n* IDOR.\n* XML External Entity injection.\n* Remote File Inclusion.\n* Unvalidated Redirects and Forwards.\n\n# Restrictions\n* Massive automatic scanning is not allowed. Please do creative testing.\n* If you significantly degrade our service, you risk a program ban.\n* No DoS - Our cloud providers prohibit this activity.\n* Participation in this program is prohibited for internal employees.\n\n# Non-Qualifying Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n* Reflected-XSS and issues exploitable only through Self-XSS.\n* Subdomain take over or Git take over.\n* Broken links / Social media take over.\n* Clickjacking.\n* Social engineering attacks.\n* Issues related to credentials or information disclosure in public sources such as Trello, GitHub, Wayback, etc.\n* Attacks requiring MITM, physical access or privileged access to a user device\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Spamming.\n* Vulnerabilities in 3rd party or vulnerabilities in ripio's providers\n* Unauthenticated/logout CSRF.\n* Brute force issues\n* Cross-Origin Resource Sharing (CORS).\n* User enumeration vulnerabilities.\n* Password complexity requirements.\n* Reports from automated tools or scans (without accompanying demonstration of exploitability).\n* HTML injection issues.\n* Cookies Flags  and security headers(e.g.: missing the Secure or HttpOnly flags).\n* Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).\n* Lack of rate-limiting.\n* Disclosure of known public files or directories, (e.g: robots.txt,readme.html, WordPress, etc).\n* Obfuscated Code on native apps.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Suppose legal action is initiated by a third party against you in connection with activities conducted under this policy. In that case, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Ripio and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-21T23:42:39.456Z"}]