Responsible Disclosure Policy
Hindawi welcomes feedback from the community on its products, platform and website. Our Responsible Disclosure policy allows for security testing to be done by anyone in the community within the prescribed reasonable standards and the safe communication of those results. If you identify any vulnerabilities in Hindawi’s products, platform or website, please report the matter to Hindawi at firstname.lastname@example.org using this PGP key (Hash: 5B380BF70348EFC7ADCA2143712C7E19C1658D1C)
For the development of Phenom and our new website, we have relied on community-driven solutions and collaborative work. Our platforms are built on open source software and benefit from feedback from the communities we serve.
We welcome your support to help us address any security issues, both to improve our products and protect our users.
We agree not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third party, or applicable laws.
The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):
- Taking any action that will negatively affect Hindawi, its subsidiaries or agents.
- Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
- Disclosing any personally identifiable information discovered to any third party.
- Destruction or corruption of data, information or infrastructure, including any attempt to do so.
- Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Hindawi).
- Any exploitation actions, including accessing or attempting to access Hindawi’s data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
- Attacks on third-party services.
- Denial of Service attacks or Distributed Denial of Services attacks.
- Any attempt to gain physical access to Hindawi property or data centers.
- Use of assets that you do not own or are not authorised or licensed to use when discovering a vulnerability.
- Violation of any laws or agreements in the course of discovering or reporting any vulnerability.
Out of scope vulnerabilities
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
- Third-party applications, websites or services that integrate with or link Hindawi.
- Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English will have a higher chance of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your email.
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialogue to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
Since all our source code is open source and we are strongly contributing to the open source and open science communities, we are currently regarding these disclosures as contributions to a world where access to research is open to everyone. As such, for now, we have no bounties available.
Thank you for your contribution to open source, open science, and a better world altogether!
Hindawi reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this Responsible Disclosure policy. This Responsible Disclosure policy is dated 1 October 2020 and will be periodically reviewed and updated; please bookmark this page and check it for the latest version of the policy before taking any action.
|Saqib Kharadi||SPF Vulnerability||October 2020|
|dhinil kv||Email Spoofing||November 2020|
|omethasan||Open Redirect||November 2020|
|Faizan Ahmed||Email Spoofing||November 2020|
|BOULBALI Anas||Legacy Source Code Disclosure||November 2020|
|Gurpreet||SPF Vulnerability||December 2020|
|Shivam Verma (cyb3r-n3rd)||Open Redirect||December 2020|
|Utkarsh Agrawal||System Password Exposed||December 2020|
|Sujata Sunil Junare||Email Spoofing||January 2021|
|NARASIMHA REDDY||Open Redirect||January 2021|
|Santosh Bobade||HTML Injection||January 2021|
|Ravindra Dagale||Server Information Disclosure||January 2021|
|Gaurav Popalghat||HTTP Login||February 2021|
|Anto Denvo J||DMARC Vulnerability||February 2021|
|Shouvik Dutta (warlock_root_x)||Full Path Disclosure||March 2021|
|Anil Bhatt||Jenkins||April 2021|
|Arjun Singh||S3 Bucket Information Disclosure||April 2021|
|MD. Gollam Rabbi||Legacy Logs Information Disclosure||April 2021|
|MD. Gollam Rabbi||Dev/QA Server Information Disclosure||April 2021|
|MD. Gollam Rabbi||Jenkins||April 2021|
|Hasibul Hasan Rifat||Information Disclosure||April 2021|
|Vinay Bhuria||Clickjacking||April 2021|
|Suraj Satish Kharade||SSL Certificate||April 2021|
|Ravindra Dagale||Legacy MMS IIS version exposed||April 2021|
|Mr_3rr0r_501||SPF Vulnerability||May 2021|
|gaurang maheta||Open Redirect||May 2021|
|Arjun Chandarana||Open Redirect||June 2021|
|Biswajit Mahapatra||Open Redirect||July 2021|
|Mirraziali||SPF Vulnerability||August 2021|
|Deevan Kumar (D1)||Open Redirect||September 2021|
|Dum7c||Open Redirect||October 2021|
|Shashwat Kumar||Open Redirect||March 2022|
|Saikiran Satharapu||Information Disclosure||March 2022|
|Nikhil Rane||HTTP Links in emails||April 2022|
|Shreyash Khare||jQuery Prototype Pollution||May 2022|
|Keyur Maheta||S3 Bucket Information Disclosure||June 2022|
|Harsh Bhanushali||jQuery Prototype Pollution||July 2022|
|Girish B O||Cross-domain Script Include||July 2022|
|Muztahidul Islam Tanim||Compromised Credential||December 2022|
|Palyam Ajaykumar||HTTP Links in emails||December 2022|
|Vinit Lakra||Prototype pollution attack||January 2023|
|Amisha Sagar||HTML Injection||February 2023|
|Abhijeet Ingle||Legacy System missing DMARC||March 2023|
|Kanajam Anantapurnasai (Alpha_Is_Back)||Legacy System Missing Bucket||April 2023|
|Samruddhi Navale||Legacy System Missing Bucket||April 2023|