Security

Responsible Disclosure

Hund takes security seriously. It’s our top priority to keep infrastructure and user data secure from potential threats. We encourage security professionals to try and find vulnerabilities on our platform. Depending on the severity of received reports, we will reward those who make responsible disclosures with acknowledgement, swag, and/or bounty money.

Reports can be sent to security@hund.io. Use our public GPG key to encrypt messages containing sensitive information. Please provide us with your public key so that we can encrypt further sensitive correspondence.

Fingerprint: E6AD 238C 1821 6151 E349 5E94 A39A 1864 B4F4 C98D

Program Scope

We’re interested in the following categories of vulnerabilities:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • Server-side Request Forgery (SSRF)
  • Database Manipulation
  • Server-side Remote Code Execution (RCE)
  • Access Control Issues
  • Directory Traversal Issues
  • Local File Disclosure (LFD)

We’re not interested in receiving reports for the following (out-of-scope):

  • Best practice concerns
  • Theoretical reports without solid exploitation information (e.g. open ports)
  • Self-XSS which cannot be used to exploit users
  • Vulnerabilities reported from automated tools
  • Denial of Service attacks
  • Missing cookie flags or security headers
  • Certificate scan reports
  • Banner grabbing issues

Program Rules

Please abide by the following rules while performing research:

  • Do not attempt to gain access to another user’s account or data
  • Do not perform an attack which could harm the integrity of our services or data
  • Do not publicly disclose a vulnerability before it has been fixed
  • Do not test for vulnerabilities of third-party services which we might use
  • Do not use automated tools or scanners which produce noise and are unhelpful
  • Do not phish or use social engineering attacks

Acknowledgements

Hund would like to thank the following security researchers who have helped keep us secure by participating in our responsible disclosure program:

  • Maulik Shah