VIDIO BUG BOUNTY PROGRAM
Vidio invites security researchers, hackers, and the general public to participate in our Bug Bounty program, aimed at discovering and addressing security vulnerabilities in our website and mobile applications. We value your commitment to enhancing the security of our services and are eager to collaborate with you in this effort. If you find any method of stealing our content, please inform us as we are interested in exploring it further. Good luck and enjoy the hunt!
Reporting
If you suspect you've uncovered a security vulnerability in Vidio's service, please report it right away. We'll discuss the issue and collaborate to find a solution.
Before conducting security research on Vidio, please read and understand the following guidelines and regulations:
- ♦ Only use your own account for security testing, and avoid causing harm to other users or Vidio's system..
- ♦ Do not disclose security vulnerabilities to the general public without our permission.
- ♦ Only publish validated, non-duplicate security flaws that have undergone our verification process.
- ♦ Refrain from exploiting discovered security vulnerabilities for personal or group gain.
- ♦ Vidio will not take legal action against security researchers who adhere to the Bug Bounty program's rules.
- ♦ Vidio will enforce sanctions and legal measures against those who violate the regulations, based on applicable law, including but not limited to the Law of the Republic of Indonesia No. 11 of 2008 concerning Information and Electronic Transactions.
- ♦ By participating in this program, you acknowledge the above information and agree to abide by the stated rules.
Reporting Step
Submit your findings to security [at] vidio.com, providing a detailed explanation. Your report should include:
- ♦ The type of security vulnerability discovered.
- ♦ Brief steps to reproduce your findings.
- ♦ Proof of Concept (PoC) in the form of an image or video. Attach this to your email.
- ♦ The potential impact of the security vulnerability.
- ♦ Recommendations for fixing the vulnerability.
Rewards
Our rewards are impact-based, meaning we offer higher rewards for vulnerabilities that could expose sensitive user data, while lower or no rewards for vulnerabilities that only allow minor actions, such as defacing a microsite. During our reward meetings, we consider the potential impact of a malicious attacker exploiting the vulnerability and compensate accordingly. We only reward the first reporter who provides actionable information to identify the issue.
Ultimately, reward payouts are at our discretion, but we strive for fairness. Some researchers may disagree with our decisions, but we aim to be ethically responsible and trust that the majority will find their rewards fair and, in many cases, generous. The program will evolve over time. Accepting a reward signifies agreement not to disclose the vulnerability to the public.
TERMS & CONDITIONS
Please keep in mind that your participation in the Bug Bounty Program is entirely voluntary and is subject to the terms and conditions outlined on this page ("Terms & Conditions"). You acknowledge that you have read and agree to these Program Terms by submitting a site or product vulnerability to Vidio.
Forbidden Actions
- ♦ Non-technical assaults, such as social engineering, phishing, or gaining unauthorized access to the matrix—err, infrastructure—are strictly off-limits.
- ♦ Keep your light sabers at bay and avoid initiating any attacks that may interfere with our services (e.g., DDoS/Spam).
- ♦ No targeting our end users, even if you're a Sith Lord. Also, trading pilfered user credentials is a no-go.
- ♦ Employing automated scanners and tools to discover vulnerabilities? That's a big no-no in this galaxy.
- ♦ Don't boldly go where no one has gone before by conducting automated or scripted testing on web forms, especially "Contact Us" forms intended for customer communication with our support team.
- ♦ Feel free to test vulnerabilities in your own or test accounts, but remember: with great power comes great responsibility—don't access others' data.
In-Scope Domain |
In-Scope Vulnerability Classes |
|
Content Protection and DRM Issues:
General Vulnerability Classes:
|
Out-of-scope Vulnerability Classes
- ♦ Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
- ♦ Publicly accessible login panels - These generally have low security impact and are in software that Vidio runs but doesn’t control.
- ♦ Reports that state that software is out of date/vulnerable without a proof of concept.
- ♦ Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
- ♦ XSS issues that affect only outdated browsers.
- ♦ Stack traces that disclose information.
- ♦ CSV injection. Please see this article.
- ♦ Missing best practices (we require evidence of a security vulnerability).
- ♦ Highly speculative reports about theoretical damage. Be concrete.
- ♦ Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
- ♦ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
- ♦ Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- ♦ Denial of Service Attacks.
- ♦ Reflected File Download (RFD).
- ♦ window.opener-related issues.
- ♦ Physical or social engineering attempts (this includes phishing attacks against PT Vidio Dot Com employees).
- ♦ Content injection issues.
- ♦ Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- ♦ Missing autocomplete attributes.
- ♦ Missing cookie flags on non-security-sensitive cookies.
- ♦ Issues that require physical access to a victim’s computer.
- ♦ Missing security headers that do not present an immediate security vulnerability.
- ♦ Fraud issues.
- ♦ SSL/TLS scan reports (this means output from sites such as SSL Labs).
- ♦ Banner grabbing issues (figuring out what web server we use, etc.).
- ♦ Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- ♦ Recently disclosed 0 day vulnerabilities. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
- ♦ Disclosure of known public files or directories.
- ♦ Use of a known-vulnerable library without a description of an exploit specific to our implementation.
- ♦ OPTIONS / TRACE HTTP method enabled.
- ♦ Cookies that keep working after logout.
- ♦ Presence of autocomplete attribute on web forms.
- ♦ Cookies that lack HTTP Only or Secure settings for non-sensitive data.
- ♦ Issues related to networking protocols or industry standards.
- ♦ Username enumeration based on login, forgot password, account creation and registration pages. Enforcement policies for brute force or account lockout.
- ♦ Unrealistically complicated clickjacking attacks.
- ♦ Mail configuration issues including SPF, DKIM, DMARC settings.
- ♦ Password or account recovery policies, such as reset link expiration or password complexity.
- ♦ Publicly accessible login panels.
- ♦ Content spoofing / text injection.
- ♦ Mixed content issues.
- ♦ XMLRPC bug.
- ♦ Issues related to active sessions after password changes.
- ♦ Hyperlink injection in emails using forms available to any user.
- ♦ Reports of credentials exposed by other data breaches / known credential lists.
- ♦ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. * presence/misconfiguration in these.
- ♦ Man-in-the-Middle attacks, except for sensitive information such as passwords.
- ♦ Functional product defects, garbled pages, style mixing, file path traversals that do not cause business impact.
- ♦ Lack of root detection in mobile apps.
- ♦ Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.
- ♦ Rate limiting, brute force attack.
- ♦ Vulnerabilities found in third party services.
- ♦ EXIF data not stripped on images.
- ♦ Phishing risk via unicode/punycode or RTLO issues.
- ♦ Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
- ♦ Recently disclosed 0day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
- ♦ Entering the SCTV Tower, throwing popcorn everywhere, unleashing a bunch of cats, and hijacking our servers while engineers are distracted...
Confidentiality
Bounty is committed to maintaining the confidentiality of any material or information related to Vidio bugs that is acquired directly or indirectly through written, electronic, oral, or observational means ("Confidential Information"). Disclosure of any Confidential Information to third parties by Bounty is strictly prohibited, unless expressly authorized by Vidio. Bounty shall take all reasonable measures to protect the confidentiality of Confidential Information, including but not limited to restricting access to such information only to those third parties who have been informed of its confidential nature and have agreed not to disclose or use such information other than as authorized by Vidio. Any unauthorized or suspected use or disclosure of Confidential Information by Bounty must be promptly reported to Vidio. However, the foregoing provisions do not apply to information that Bounty was already aware of prior to Vidio's exposure, information that was publicly available through no fault of Bounty, information that was disclosed legally to Bounty by a third party without any obligation of confidentiality to Vidio, or information that was independently developed by Bounty without reference to Confidential Information.
Changes to Program Terms
We take our Bug Bounty Program seriously and are committed to providing a secure platform for our users. Therefore, Vidio reserves the right to modify or terminate the Bug Bounty Program, including its policies, at any time and without notice. As a result, Vidio may revise these Program Terms and policies at any time by publishing an updated version on our website. By participating in the Bug Bounty Program after such changes have been made, you agree to accept the Program Terms, as revised.
Hall of Fame
This page is dedicated to you. We are honored to have your name displayed here.
- ♦ Awaken Sin
- ♦ Putra Aji Adhari
- ♦ Foysal Ahmed Fahim
- ♦ Rafi Andhika Galuh
- ♦ Andika Fransisco
- ♦ Amir Farhan
- ♦ Ardyan Vicky Ramadhan
- ♦ Guarded Researcher
- ♦ Bagas
- ♦ Aidil Arief
- ♦ Aman
- ♦ amirfaki234@gmail.com
- ♦ Koutrouss
- ♦ Helmay Cahyadi
- ♦ Tushar Sharma
- ♦ Ashutosh Shukla
- ♦ Udin Gans
- ♦ Raman Mohurle
- ♦ Faiz Hanafi
- ♦ Nitish Shah
- ♦ Eric Head
- ♦ Rifa'i Rejal Maynando
- ♦ Ade Krisna
- ♦ Rovel Prasetya
- ♦ Aviad Carmel - Salt Security
- ♦ Aditya Alfiki
- ♦ Bagas
- ♦ Arez TheHopeBuster
- ♦ Galatia Sijabat
- ♦ Soultan Muhammad Albar
- ♦ Mahendra Nanda
- ♦ Azhari Harahap x2
- ♦ Maulana Noer Fauzy
- ♦ Rama Aryo Prambudi