Responsible Disclosure Policy

Hindawi welcomes feedback from the community on its products, platform and website. Our Responsible Disclosure policy allows for security testing to be done by anyone in the community within the prescribed reasonable standards and the safe communication of those results. If you identify any vulnerabilities in Hindawi’s products, platform or website, please report the matter to Hindawi at security@hindawi.com using this PGP key (Hash: 5B380BF70348EFC7ADCA2143712C7E19C1658D1C)

For the development of Phenom and our new website, we have relied on community-driven solutions and collaborative work. Our platforms are built on open source software and benefit from feedback from the communities we serve. 

We welcome your support to help us address any security issues, both to improve our products and protect our users. 

We agree not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third party, or applicable laws.

The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):

  • Taking any action that will negatively affect Hindawi, its subsidiaries or agents.
  • Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Disclosing any personally identifiable information discovered to any third party.
  • Destruction or corruption of data, information or infrastructure, including any attempt to do so.
  • Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Hindawi).
  • Any exploitation actions, including accessing or attempting to access Hindawi’s data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
  • Attacks on third-party services.
  • Denial of Service attacks or Distributed Denial of Services attacks.
  • Any attempt to gain physical access to Hindawi property or data centers.
  • Use of assets that you do not own or are not authorised or licensed to use when discovering a vulnerability.
  • Violation of any laws or agreements in the course of discovering or reporting any vulnerability.

Out of scope vulnerabilities

  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
  • Third-party applications, websites or services that integrate with or link Hindawi.
  • Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.

Preference, prioritization, and acceptance criteria

We will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English will have a higher chance of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from us:

  • A timely response to your email.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialogue to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.

Since all our source code is open source and we are strongly contributing to the open source and open science communities, we are currently regarding these disclosures as contributions to a world where access to research is open to everyone. As such, for now, we have no bounties available.

Thank you for your contribution to open source, open science, and a better world altogether!

Hindawi reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this Responsible Disclosure policy. This Responsible Disclosure policy is dated 1 October 2020 and will be periodically reviewed and updated; please bookmark this page and check it for the latest version of the policy before taking any action.

Acknowledgements

Researcher Vulnerability Date
Saqib Kharadi SPF Vulnerability October 2020
dhinil kv Email Spoofing November 2020
omethasan Open Redirect November 2020
Faizan Ahmed Email Spoofing November 2020
BOULBALI Anas Legacy Source Code Disclosure November 2020
Gurpreet SPF Vulnerability December 2020
Shivam Verma (cyb3r-n3rd) Open Redirect December 2020
Utkarsh Agrawal System Password Exposed December 2020
Sujata Sunil Junare Email Spoofing January 2021
NARASIMHA REDDY Open Redirect January 2021
Santosh Bobade HTML Injection January 2021
Ravindra Dagale Server Information Disclosure January 2021
Gaurav Popalghat HTTP Login February 2021
Anto Denvo J DMARC Vulnerability February 2021
Shouvik Dutta (warlock_root_x) Full Path Disclosure March 2021
Anil Bhatt Jenkins April 2021
Arjun Singh S3 Bucket Information Disclosure April 2021
MD. Gollam Rabbi Legacy Logs Information Disclosure April 2021
MD. Gollam Rabbi Dev/QA Server Information Disclosure April 2021
MD. Gollam Rabbi Jenkins April 2021
Hasibul Hasan Rifat Information Disclosure April 2021
Vinay Bhuria Clickjacking April 2021
Suraj Satish Kharade SSL Certificate April 2021
Ravindra Dagale Legacy MMS IIS version exposed April 2021
Mr_3rr0r_501 SPF Vulnerability May 2021
gaurang maheta Open Redirect May 2021
Arjun Chandarana Open Redirect June 2021
Biswajit Mahapatra Open Redirect July 2021
Mirraziali SPF Vulnerability August 2021
Deevan Kumar (D1) Open Redirect September 2021
Dum7c Open Redirect October 2021
Shashwat Kumar Open Redirect March 2022
Saikiran Satharapu Information Disclosure March 2022
Nikhil Rane HTTP Links in emails April 2022
Shreyash Khare jQuery Prototype Pollution May 2022
Keyur Maheta S3 Bucket Information Disclosure June 2022
Harsh Bhanushali jQuery Prototype Pollution July 2022
Girish B O Cross-domain Script Include July 2022
Muztahidul Islam Tanim Compromised Credential December 2022
Palyam Ajaykumar HTTP Links in emails December 2022
Vinit Lakra Prototype pollution attack January 2023
Amisha Sagar HTML Injection February 2023
Abhijeet Ingle Legacy System missing DMARC March 2023
Kanajam Anantapurnasai (Alpha_Is_Back) Legacy System Missing Bucket April 2023
Samruddhi Navale Legacy System Missing Bucket April 2023
Prakash Chand Thakuri Indexing FTP Credentials Disclosed May 2023
Soumyaranjan Das (D1A0S) Compromised Credential June 2023
Sri Chinnadurai.s Compromised Credential September 2023

    Article of the Year Award: Impactful research contributions of 2022, as selected by our Chief Editors. Discover the winning articles.