Bug bounty program

Bug bounty program

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of MPCVault. Issues may receive a lower severity due to the presence of compensating controls and context. The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at MPCVault's discretion.

MPCVault Vulnerability Research Program (VRP) - Program Policy

Introduction

At MPCVault, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any MPCVault product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within the scope of the MPCVault Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make MPCVault more secure.

Who Can Participate in the Program

MPCVault customers and security researchers who discover a potential security finding within MPCVault products or services can report it to the VRP program. MPCVault employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).

How VRP Program Works

• Security researchers and customers of MPCVault are encouraged to report any behavior impacting the information security posture of MPCVault products and services.

• If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.

• Document your findings thoroughly, providing steps to reproduce and send your report to us.

  • Reports with complete vulnerability details, including screenshots or videos, are essential for a quick response.

• We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.

• We will work with the affected teams to validate the report.

• We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.

• We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.

• We will work with the affected teams to make necessary improvements and remediation.

• Qualified researchers who regularly submit high quality findings can be added to MPCVault's Private Program (invited researchers only).

Services and Products in Scope

Bounty eligible findings are limited to the following marketplaces and mobile apps:

(Note: Please check Scopes section for complete details on latest in-scope assets)

• https://mpcvault.com

• https://console.mpcvault.com

• MPCVault Android and iOS Apps

You are not authorized to test any asset, domain, or IP address outside the scope of the MPCVault Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.

Reports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists MPCVault security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.

Legal Safe Harbor

MPCVault will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.

As long as you comply with this policy:

• We consider your security research to be “authorized” under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.

• We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.

MPCVault cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability for actions performed by third parties.

Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.

To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

• Share your PII with third parties

• Share your research without your permission

• Share your HackerOne points, or participation without your permission

If Your Account is Banned or Blocked by Vulnerability Research Activities

• Follow on-screen instructions when you log in into your MPCVault account for recovery

• Be prepared with a recent card statement available to prove ownership

• The account will typically be restored within 24 hours

Research Guidance

Reference HackerOne guidance on writing quality reports:

• https://docs.hackerone.com/hackers/quality-reports.html

• https://www.hacker101.com/sessions/good_reports

Responsible Disclosure Policy

Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort MPCVault. MPCVault commits to timely remediation of your findings, and prompt response to relevant questions.

Non-eligible Vulnerabilities

• Subdomain Takeover

• Clickjacking

• Self XSS

• Email Spoofing - SPF Records Misconfiguration

Out-of-Scope Issues

• Security Practices where other mitigating controls exist i.e. missing security headers, etc.

• Social Engineering, Phishing

• Physical Attacks

• Missing Cookie Flags

• CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.

• Content Spoofing

• Stack Traces, Path Disclosure, Directory Listings

• SSL/TLS controls where other mitigating controls exist

• Banner Grabbing

• CSV Injection

• Reflected File Download

• Reports on Out of dated browsers

• Reports on outdated version/builds of in-scope Mobile Apps

• DOS/DDOS

• Host header Injection without a demonstrable impact

• Scanner Outputs

• Vulnerabilities on Third-Party Products

• User Enumeration

• Password Complexity

• HTTP Trace Method