[{"id":3640401,"new_policy":"#THIS PROGRAM WILL IS NOW CLOSED AND WILL NOT ACCEPT ANY NEW SUBMISSIONS\n\n# What's new\n25-02-2020 - All Hackers participating in the program at any point in time must adhere to the rules of the program they accepted while joining.\n25-11-2019 - New Domain gobitcoinking.com is added to the scope.\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallets to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-24T15:38:29.044Z"},{"id":3631483,"new_policy":"# What's new\n25-02-2020 - All Hackers participating in the program at any point in time must adhere to the rules of the program they accepted while joining.\n25-11-2019 - New Domain gobitcoinking.com is added to the scope.\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallets to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-25T10:26:48.355Z"},{"id":3631482,"new_policy":"# What's new\n25-02-2020 - All Hackers participating the program at any point in time must adhere to the rules of program they accepted while joining the program, platform.\n25-11-2019 - New Domain gobitcoinking.com is added to scope.\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-25T10:25:06.850Z"},{"id":3624497,"new_policy":"# What's new\n25-11-2019 - New Domain gobitcoinking.com is added to scope.\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-25T09:36:29.514Z"},{"id":3624496,"new_policy":"# What's new\n25-11-2019 - New Domain {gobitcoinking.com} is added to scope\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-25T09:35:18.151Z"},{"id":3623489,"new_policy":"# What's new\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services\n{F632488}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-12T14:23:43.160Z"},{"id":3623488,"new_policy":"# What's new\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services {F632486}\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-12T14:22:17.556Z"},{"id":3623487,"new_policy":"# What's new\n12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services \n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-12T14:17:57.559Z"},{"id":3622523,"new_policy":"# What's new\n15-10-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\n## Issues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:42:59.638Z"},{"id":3622522,"new_policy":"# What's new\n15-10-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n## Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n## Issues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n## Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:42:12.219Z"},{"id":3622521,"new_policy":"# What's new\n15-10-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n##Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n##ssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n##Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:41:10.083Z"},{"id":3622520,"new_policy":"# What's new\n15-10-2019 - FAQ guide attached to policy page on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\n##Issues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\n##ssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\n##Issues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:40:37.538Z"},{"id":3622519,"new_policy":"# What's new\n15-10-2019 - FAQ guide attached to policy page on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:39:36.338Z"},{"id":3622518,"new_policy":"# What's new\n15-10-2019 - FAQ guide on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:39:09.708Z"},{"id":3622517,"new_policy":"# What's new\n15-10-2019c - FAQ guide on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:38:18.589Z"},{"id":3622516,"new_policy":"# What's new\n15-10-2019c - FAQ guide on how to use savedroid apps and services.\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T09:37:04.064Z"},{"id":3620767,"new_policy":"# What's new\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $2500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1500\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $500\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $250\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-08T09:40:48.867Z"},{"id":3619475,"new_policy":"# What's new\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $1500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1000\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $250\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $100\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n{F585687}\n\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-18T10:53:19.890Z"},{"id":3619392,"new_policy":"# What's new\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $1500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1000\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $250\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $100\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\nWe have included a document that will help you get to know Savedroid a little better with some frequently asked questions. \n[Savedroid - Getting started with Savedroid](https://docs.google.com/document/d/1r5LnJxjXdXuO4X6pzd9JGNTB_7KRXkHhrUcKAAEZVVw/edit)\n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-17T12:32:58.530Z"},{"id":3615847,"new_policy":"# What's new\n07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.\n\n# Rewards\n# Critical Severity - $1500\nIssues that savedroid AG would consider to be critical impact include:\n\nTransfer SVD without Balance\nAccess to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.\nBuy Crypto without paying for it\nGet the other user private data\n Authentication bypass in apps\nChanging critical functionality of a system which may lead to severe system misuse\n\n\n# High Severity - $1000\nIssues that savedroid AG would consider to be High impact include:\n\nCross account access in apps\nStored cross-site scripting (XSS) that can affect other users\nFlaws that could be used to exploit 3rd-party integration services\nUnauthorized configuration changes to installed Infrastructure agents\nRemote code execution (RCE) on savedroid backend services\nAbility to write data in misconfigured S3 buckets\nPrivate Key Leakage\n\n\n# Medium Severity - $250\nIssues that savedroid AG would consider to be medium impact include:\n\nInsufficient validation of incoming URI handler calls for mobile applications leading to information disclosure\nMisconfigurations resulting in information leaks\nsubdomain takeover\n\n# Low Severity - $100\nIssues that savedroid AG would consider to be low impact :\n\nInformation leaks (e.g. directory listing, first name and last name of a user)\nData leaks from internal systems\n\n\n#savedroid Bug Bounty Program\n\n[savedroid AG] (www.savedroid.com) specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.\n\nsavedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority. \nsavedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. \n\n# Response Targets\nSaveDroid will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days\n* Time to bounty (from triage) - 7 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Testing Exclusion\nPlease note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.\nYou are also prohibited from: \n*\tExecuting or attempting to execute any Denial of Service attack.\n*\tKnowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.\n*\tAttempting to social engineer support staff.\n*\tTesting in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, \n pyramid schemes or other forms of duplicative or unsolicited messages.\n*\tTesting in a manner that would degrade the operation of the Service.\n*\tTesting or otherwise accessing or using the Service from any jurisdiction that is a Prohibited \n Jurisdiction.\n*\tTesting third party applications or websites or services that integrate with or link to the Service.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n*\tBrute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.\n*\tClickjacking on pages with no sensitive actions.\n*\tContent spoofing issues without branding CSS.\n*\tCookie flags.\n*\tCovert Redirects.\n*\tIssue where the fix only requires a text change.\n*\tUnauthenticated/logout/login CSRF.\n*\tMalicious attachments on file uploads or attachments.\n*\tMissing additional security controls, such as HSTS or CSP headers\n*\tMobile issues that require a Rooted or Jailbroken device.\n*\tPassword recovery policies, such as reset link expiration or password complexity\n*\tReflected File Download (this may be rewarded in the future, but is currently out of scope)\n*\tSPF, DKIM, DMARC issues.\n*\tXSS (or a behavior) where you can only attack yourself\n*\tXSS on pages where admins are intentionally given full HTML editing capabilities, such as custom \n theme editing\n* Attacks requiring MITM or physical access to a user's device.\n* Missing best practices in SSL/TLS configuration.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep SaveDroid and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-08T14:41:18.809Z"}]