Security

Responsible Disclosure

Hund takes security seriously. It’s our top priority to keep infrastructure and user data secure from potential threats. We encourage security professionals to try and find vulnerabilities on our platform. Depending on the severity of received reports, we will reward those who make responsible disclosures with acknowledgement, swag, and/or bounty money.

Reports can be sent to security@hund.io. Use our public GPG key to encrypt messages containing sensitive information. Please provide us with your public key so that we can encrypt further sensitive correspondence.

Fingerprint: CC54 E768 8FB0 1856 0A7D A5E6 FC86 029D CF27 91AC

Program Scope

We’re interested in the following categories of vulnerabilities:

Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-side Request Forgery (SSRF)
Database Manipulation
Server-side Remote Code Execution (RCE)
Access Control Issues
Directory Traversal Issues
Local File Disclosure (LFD)

We’re not interested in receiving reports for the following (out-of-scope):

Best practice concerns
Theoretical reports without solid exploitation information (e.g. open ports)
Self-XSS which cannot be used to exploit users
Vulnerabilities reported from automated tools
Denial of Service attacks
Missing cookie flags or security headers
Certificate scan reports
Banner grabbing issues

Program Rules

Please abide by the following rules while performing research:

Do not attempt to gain access to another user’s account or data
Do not perform an attack which could harm the integrity of our services or data
Do not publicly disclose a vulnerability before it has been fixed
Do not test for vulnerabilities of third-party services which we might use
Do not use automated tools or scanners which produce noise and are unhelpful
Do not phish or use social engineering attacks

Acknowledgements

Hund would like to thank the following security researchers who have helped keep us secure by participating in our responsible disclosure program: