Contact: mailto:security@miswag.com or via https://misw.ag/srt Expires: 2025-10-13T07:35:00.000Z Preferred-Languages: en Acknowledgments: N/A Policy: Miswag takes the security of its systems and data very seriously and continuously strives to maintain the security and integrity of its products and services through state-of-art processes, security frameworks and regular audits. Miswag is committed to working with the security researcher community to improve the same. We strongly believe that a close partnership with security researchers on the latest trends to understand security threats and vulnerability identification creates a powerful ecosystem of security, making customers secure and confident to use the products and services along with all the impactful features. Miswag, therefore, has adopted this Vulnerability Disclosure Program (“VDP”) to engage security researchers to report any security vulnerability that affects any product or service of Miswag in a responsible manner. VDP is an initiative driven and managed by Miswags’s Security team. # In scope Web: *.miswag.com or any web app belongs to Miswag. Miswag Android App Miswag IOS App # Eligibility Criteria For Reporting Under VDP - You are at least 18 years of age. - You must be an individual researcher participating in your own individual capacity only. - You must agree to the terms and conditions of Miswag’s VDP. - You did not and will not access any personal information that is not your own, including by exploiting the vulnerability. - The report must not be a duplicate of an internal finding we are going to fix or a duplicate to another security researcher finding. # Guidelines for Testing When performing security testing, please adhere to the following guidelines: - Only test against your own accounts and data (e.g. create test accounts). If you identify a vulnerability that may result in access to other users' data, please check with us first before testing further. - If you inadvertently access other users' data in your testing, please let us know, and do not store any such user data. - Do not perform testing that results in denial of service conditions or degradation of our production services. - Social engineering is out of scope for this program; do not attempt to socially engineer our organization or our users. - Include " X-VDP " header on all of your requests with including researcher email as a value. - Any conduct by a security researcher that appears to be unlawful, malicious, or of criminal in nature, including but not limited to, extortion would be immediately disqualified under this VDP. - Perform research within the defined scope as set forth in this VDP. - Do not access personal information or financial information of any customer or employee or other personnel of Miswag or Proprietary information or trade secrets of companies, partners or vendors. If you accidentally access any of these If you encounter any of the below on our systems while testing within the scope of this VDP, stop your test and notify us immediately at security@miswag.com. - If the identified vulnerability can be used to potentially extract sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately at security@miswag.com. This is absolutely essential for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems. - If you gain access to any non-public application or non-public credentials, please stop testing and report the issue immediately. - Please do not run any automated scans and disrupt production systems. - Please do not use open network ports, open services other than public HTTP Endpoints, etc. while identifying vulnerabilities. - Do not download /use data more than what is necessary for testing the vulnerability. - Do not make any changes/modifications without explicit prior permission from Miswag. - Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. - Do not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems. - Do not violate any applicable laws and breach any agreements in order to discover vulnerabilities. - Do not attempt to target Miswag’s employees or customers, through social engineering, phishing or physical attacks (including but not limited to automated chat systems). - Do not perform physical attacks against any facility of Miswag. - Do not threaten or try to extort Miswag. Do not act in bad faith and make requests for ransom. # Out of scope Denial-of-service attacks. Email spoofing and phishing. Spam and social engineering. Email or account enumeration. Any physical access issues. Publicly accessible pages. Any weakness or disclosure of information that does not lead to a direct vulnerability. Any vulnerabilities in third-party apps or websites are generally not within the scope of our VDP. Rate limiting (Unless it implies a severe threat and/or business loss). Duplicate submissions for the already identified vulnerabilities by external as well as internal researchers. Vulnerability related to Google Maps API Keys. Multiple recurrences of the same vulnerability on different domains will be treated as the same issue. Software/Service version disclosure. Cross-site request forgery (CSRF) in non-sensitive functions. Missing/misconfigured SPF/DMARC DNS-records. Gmail “+” and “.” acceptance. Weak or misconfigured SSL/TLS parameters. Content spoofing without being able to modify HTML/CSS. Vulnerabilities within our sandbox, UAT, or staging environments. Vulnerabilities that are limited to unsupported browsers will not be accepted. Username/email enumeration, password guessing, and exposed API interfaces (like xmlrpc.php) in standard software (i.e. WordPress). IDOR for objects that you have permission to access. Clickjacking and other issues only exploitable through clickjacking. HttpOnly and secure flags are not set for non-session cookies. Issues without clearly identified security impact such as missing security headers. Formula Injection or CSV Injection. DOM Based Self-XSS and issues exploitable only through Self-XSS. Networking issues or industry standards. Password complexity. Disclosure of known public files or directories (e.g. robots.txt). Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality. Session Timeouts. Concurrent Sessions. SSL Pinning Bypass for both Android and iOS. Root/Jailbreak Detection Bypass for both Android and iOS. EXIF Geolocation Data Not Stripped From Uploaded Images. # You are not eligible to participate in the VDP if you meet any of the following criteria: - You have any present or past record of committing any offence for violation of any law of the land; - You have violated any applicable law or regulation, including Cyber security laws or such other data security and privacy laws prohibiting unauthorized access to information. It is clarified that, any vulnerability security testing done in compliance with this Policy will be deemed to be authorized by Miswag; - Your organization does not allow you to participate in these types of VDPs; - You are in breach of your employer’s policy with respect to participation in the VDP; - You are currently an employee of Miswag or any of its subsidiaries, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee; - You are not currently, nor have been an employee or consultant, of Miswag or any of its subsidiaries or group companies within 6 months prior to submitting a report under VDP; - You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed above. - You currently (or within six months prior providing to us your report submission) perform services for Miswag or any of its subsidiaries in an external staff capacity that requires access to Miswag group, such as agency temporary worker, vendor employee, or contractor; or - You are or were involved in any part of the development, administration, and/or execution of the VDP. # What you will expect from us ? - At the current moment, we don't have a bug bounty program. However, exceptional critical severity reports with clear and detailed report writing might be an exception, please make sure to follow the rules during the engagement and don't forget to include "X-VDP" header. Use ' Add Header ' browser extension to set it or via Match&Replace functionality in Burpsuite. - Acknowledgment of Your Submission: We will confirm receipt of your vulnerability report within [ 72 hours]. - Thorough Investigation: Our team will review and investigate your submission to verify and assess the potential impact of the reported issue. You will be informed of the progress and outcome of your report. - Recognition: If your report is valid and within scope, you may be eligible for public acknowledgment (if you opt-in) on our [Hall of Fame / Acknowledgment Page]. - Respectful Communication: Our team will maintain professional, clear, and respectful communication throughout the process. - Timely Updates: We will provide regular updates about the status of your report, including when it has been verified, resolved, or if further information is needed. - Remediation: If the vulnerability is valid, we will prioritize fixing the issue promptly. You will be notified once the issue is resolved. - Confidentiality: We will handle your submission with care and confidentiality. Your personal information will not be shared without your consent.