Let's verify your account!Verify
Exit This Mode

VIDIO BUG BOUNTY PROGRAM

Vidio invites security researchers, hackers, and the general public to participate in our Bug Bounty program, aimed at discovering and addressing security vulnerabilities in our website and mobile applications. We value your commitment to enhancing the security of our services and are eager to collaborate with you in this effort. If you find any method of stealing our content, please inform us as we are interested in exploring it further. Good luck and enjoy the hunt!


Reporting

If you suspect you've uncovered a security vulnerability in Vidio's service, please report it right away. We'll discuss the issue and collaborate to find a solution.

Before conducting security research on Vidio, please read and understand the following guidelines and regulations:

  • ♦ Only use your own account for security testing, and avoid causing harm to other users or Vidio's system..
  • ♦ Do not disclose security vulnerabilities to the general public without our permission.
  • ♦ Only publish validated, non-duplicate security flaws that have undergone our verification process.
  • ♦ Refrain from exploiting discovered security vulnerabilities for personal or group gain.
  • Vidio will not take legal action against security researchers who adhere to the Bug Bounty program's rules.
  • Vidio will enforce sanctions and legal measures against those who violate the regulations, based on applicable law, including but not limited to the Law of the Republic of Indonesia No. 11 of 2008 concerning Information and Electronic Transactions.
  • ♦ By participating in this program, you acknowledge the above information and agree to abide by the stated rules.

Reporting Step

Submit your findings to security [at] vidio.com, providing a detailed explanation. Your report should include:

  • ♦ The type of security vulnerability discovered.
  • ♦ Brief steps to reproduce your findings.
  • ♦ Proof of Concept (PoC) in the form of an image or video. Attach this to your email.
  • ♦ The potential impact of the security vulnerability.
  • ♦ Recommendations for fixing the vulnerability.


Rewards

Our rewards are impact-based, meaning we offer higher rewards for vulnerabilities that could expose sensitive user data, while lower or no rewards for vulnerabilities that only allow minor actions, such as defacing a microsite. During our reward meetings, we consider the potential impact of a malicious attacker exploiting the vulnerability and compensate accordingly. We only reward the first reporter who provides actionable information to identify the issue.

Ultimately, reward payouts are at our discretion, but we strive for fairness. Some researchers may disagree with our decisions, but we aim to be ethically responsible and trust that the majority will find their rewards fair and, in many cases, generous. The program will evolve over time. Accepting a reward signifies agreement not to disclose the vulnerability to the public.


TERMS & CONDITIONS

Please keep in mind that your participation in the Bug Bounty Program is entirely voluntary and is subject to the terms and conditions outlined on this page ("Terms & Conditions"). You acknowledge that you have read and agree to these Program Terms by submitting a site or product vulnerability to Vidio.


Forbidden Actions

  • ♦ Non-technical assaults, such as social engineering, phishing, or gaining unauthorized access to the matrix—err, infrastructure—are strictly off-limits.
  • ♦ Keep your light sabers at bay and avoid initiating any attacks that may interfere with our services (e.g., DDoS/Spam).
  • ♦ No targeting our end users, even if you're a Sith Lord. Also, trading pilfered user credentials is a no-go.
  • ♦ Employing automated scanners and tools to discover vulnerabilities? That's a big no-no in this galaxy.
  • ♦ Don't boldly go where no one has gone before by conducting automated or scripted testing on web forms, especially "Contact Us" forms intended for customer communication with our support team.
  • ♦ Feel free to test vulnerabilities in your own or test accounts, but remember: with great power comes great responsibility—don't access others' data.

In-Scope Domain

In-Scope Vulnerability Classes

  • ♦ vidio.com
  • ♦ www.vidio.com
  • ♦ m.vidio.com
  • ♦ api.vidio.com
  • ♦ *etslive-v3-vidio-com-tokenized.akamaized.net
  • ♦ token-media-001-vidio-com.akamaized.net
  • ♦ token-media-vidio-com.akamaized.net
  • ♦ token-media-001-vidio-com.vidiocdn.net
  • ♦ vid.id
  • Android applications
  • iOS applications
  • ♦ AndroidTV, tvOS, ReactTV

Content Protection and DRM Issues:

  • ♦ DRM Bypass and Cracking: Exploits or methods for circumventing Digital Rights Management (DRM) protections.
  • ♦ Screensharing and HDCP Vulnerabilities: Issues related to unauthorized screensharing or weaknesses in High-bandwidth Digital Content Protection (HDCP).
  • ♦ Content Piracy: Includes Credential Theft, Session Token Theft, Content Key Decryption, and Geo-Blocking Bypass.
  • ♦ Replay and Redistribution Attacks: Capturing and replaying protected content streams or unauthorized redistribution of protected content.
  • ♦ Content Watermarking and Fingerprinting Attacks: Exploits related to watermarking systems and digital fingerprints used for content protection.
  • ♦ License Management Vulnerabilities: Issues with systems managing licenses or rights for accessing protected content.

General Vulnerability Classes:

  • ♦ Cross-site Scripting (XSS)
  • ♦ Cross-site Request Forgery (CSRF)
  • ♦ Server-Side Request Forgery (SSRF)
  • ♦ SQL Injection
  • ♦ Server-side Remote Code Execution (RCE)
  • ♦ XML External Entity Attacks (XXE)
  • ♦ Access Control Issues: Insecure Direct Object Reference (IDOR) and similar issues.
  • ♦ Exposed Administrative Panels: Panels that do not require login credentials.
  • ♦ Directory Traversal Issues
  • ♦ Local File Disclosure (LFD)
  • ♦ Misconfiguration Issues: Problems with server or application configuration.
  • ♦ Significant Authentication Bypass
  • ♦ Information Disclosure: Exposure of sensitive information.
  • ♦ Server-Side Template Injection (SSTI)
  • ♦ Leaked Private Keys
  • ♦ Local/Remote File Inclusion (LFI/RFI)

Out-of-scope Vulnerability Classes

  • ♦ Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
  • ♦ Publicly accessible login panels - These generally have low security impact and are in software that Vidio runs but doesn’t control.
  • ♦ Reports that state that software is out of date/vulnerable without a proof of concept.
  • ♦ Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
  • ♦ XSS issues that affect only outdated browsers.
  • ♦ Stack traces that disclose information.
  • ♦ CSV injection. Please see this article.
  • ♦ Missing best practices (we require evidence of a security vulnerability).
  • ♦ Highly speculative reports about theoretical damage. Be concrete.
  • ♦ Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • ♦ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  • ♦ Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  • ♦ Denial of Service Attacks.
  • ♦ Reflected File Download (RFD).
  • ♦ window.opener-related issues.
  • ♦ Physical or social engineering attempts (this includes phishing attacks against PT Vidio Dot Com employees).
  • ♦ Content injection issues.
  • ♦ Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • ♦ Missing autocomplete attributes.
  • ♦ Missing cookie flags on non-security-sensitive cookies.
  • ♦ Issues that require physical access to a victim’s computer.
  • ♦ Missing security headers that do not present an immediate security vulnerability.
  • ♦ Fraud issues.
  • ♦ SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • ♦ Banner grabbing issues (figuring out what web server we use, etc.).
  • ♦ Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • ♦ Recently disclosed 0 day vulnerabilities. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
  • ♦ Disclosure of known public files or directories.
  • ♦ Use of a known-vulnerable library without a description of an exploit specific to our implementation.
  • ♦ OPTIONS / TRACE HTTP method enabled.
  • ♦ Cookies that keep working after logout.
  • ♦ Presence of autocomplete attribute on web forms.
  • ♦ Cookies that lack HTTP Only or Secure settings for non-sensitive data.
  • ♦ Issues related to networking protocols or industry standards.
  • ♦ Username enumeration based on login, forgot password, account creation and registration pages. Enforcement policies for brute force or account lockout.
  • ♦ Unrealistically complicated clickjacking attacks.
  • ♦ Mail configuration issues including SPF, DKIM, DMARC settings.
  • ♦ Password or account recovery policies, such as reset link expiration or password complexity.
  • ♦ Publicly accessible login panels.
  • ♦ Content spoofing / text injection.
  • ♦ Mixed content issues.
  • ♦ XMLRPC bug.
  • ♦ Issues related to active sessions after password changes.
  • ♦ Hyperlink injection in emails using forms available to any user.
  • ♦ Reports of credentials exposed by other data breaches / known credential lists.
  • ♦ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. * presence/misconfiguration in these.
  • ♦ Man-in-the-Middle attacks, except for sensitive information such as passwords.
  • ♦ Functional product defects, garbled pages, style mixing, file path traversals that do not cause business impact.
  • ♦ Lack of root detection in mobile apps.
  • ♦ Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.
  • ♦ Rate limiting, brute force attack.
  • ♦ Vulnerabilities found in third party services.
  • ♦ EXIF data not stripped on images.
  • ♦ Phishing risk via unicode/punycode or RTLO issues.
  • ♦ Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
  • ♦ Recently disclosed 0day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
  • ♦ Entering the SCTV Tower, throwing popcorn everywhere, unleashing a bunch of cats, and hijacking our servers while engineers are distracted...

Confidentiality

Bounty is committed to maintaining the confidentiality of any material or information related to Vidio bugs that is acquired directly or indirectly through written, electronic, oral, or observational means ("Confidential Information"). Disclosure of any Confidential Information to third parties by Bounty is strictly prohibited, unless expressly authorized by Vidio. Bounty shall take all reasonable measures to protect the confidentiality of Confidential Information, including but not limited to restricting access to such information only to those third parties who have been informed of its confidential nature and have agreed not to disclose or use such information other than as authorized by Vidio. Any unauthorized or suspected use or disclosure of Confidential Information by Bounty must be promptly reported to Vidio. However, the foregoing provisions do not apply to information that Bounty was already aware of prior to Vidio's exposure, information that was publicly available through no fault of Bounty, information that was disclosed legally to Bounty by a third party without any obligation of confidentiality to Vidio, or information that was independently developed by Bounty without reference to Confidential Information.

Changes to Program Terms

We take our Bug Bounty Program seriously and are committed to providing a secure platform for our users. Therefore, Vidio reserves the right to modify or terminate the Bug Bounty Program, including its policies, at any time and without notice. As a result, Vidio may revise these Program Terms and policies at any time by publishing an updated version on our website. By participating in the Bug Bounty Program after such changes have been made, you agree to accept the Program Terms, as revised.


Hall of Fame

This page is dedicated to you. We are honored to have your name displayed here.

  • ♦ Awaken Sin
  • ♦ Putra Aji Adhari
  • ♦ Foysal Ahmed Fahim
  • ♦ Rafi Andhika Galuh
  • ♦ Andika Fransisco
  • ♦ Amir Farhan
  • ♦ Ardyan Vicky Ramadhan
  • ♦ Guarded Researcher
  • ♦ Bagas
  • ♦ Aidil Arief
  • ♦ Aman
  • ♦ amirfaki234@gmail.com
  • ♦ Koutrouss
  • ♦ Helmay Cahyadi
  • ♦ Tushar Sharma
  • ♦ Ashutosh Shukla
  • ♦ Udin Gans
  • ♦ Raman Mohurle
  • ♦ Faiz Hanafi
  • ♦ Nitish Shah
  • ♦ Eric Head
  • ♦ Rifa'i Rejal Maynando
  • ♦ Ade Krisna
  • ♦ Rovel Prasetya
  • ♦ Aviad Carmel - Salt Security
  • ♦ Aditya Alfiki
  • ♦ Bagas
  • ♦ Arez TheHopeBuster
  • ♦ Galatia Sijabat
  • ♦ Soultan Muhammad Albar
  • ♦ Mahendra Nanda
  • ♦ Azhari Harahap x2
  • ♦ Maulana Noer Fauzy
  • ♦ Rama Aryo Prambudi