Responsible Disclosure Policy – Mountpeakonline.com
At Mountpeakonline.com (including its affiliates) (hereinafter referred to as ‘www.mountpeakonline.com’), we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, or system, or asset belonging to us.
In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our systems.
We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.
Rules of Engagement
-
-
- Researchers submitting a vulnerability to Mountpeakonline.com agree to be bound by the terms of the Responsible Disclosure Policy (hereinafter referred to as the ‘Terms’).
- What is in scope and out of scope when discovering vulnerabilities is clearly mentioned and specified in the sections below.
- Researchers shall ensure that they do not engage in privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Researchers should only use/exploit to the extent necessary to confirm a vulnerability. Researchers should not use or exploit to compromise or exfiltrate data, establish command-line access and/or persistence, or use/exploit to “pivot” to other systems.
- Once a researcher establishes that a vulnerability exists, or encounters any sensitive data, the researcher shall stop any further testing and notify MountPeakonline.com immediately. Researchers are required to keep any information about discovered vulnerabilities confidential even after submitting the vulnerability report.
- MountPeakonline.com discourages violation of applicable laws and breach of any agreements in order to discover vulnerabilities and reserves the right to pursue legal action when the terms of this policy are violated or when testing is performed outside the scope of this policy. The decision made by our security team regarding the validity, severity & impact of a vulnerability will be considered final and cannot be contested.
- MountPeakonline.com may share your vulnerability reports with any affected partners, vendors or open-source projects.
-
Authorization
-
-
- If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and MountPeakonline.com will not initiate or recommend legal action related to your research.
- If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems’ ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
- While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
-
Policy Coverage Area
-
-
- Following Mobile Apps and Websites under (or a sub-domain of) the domains are covered as part of this policy –
- MountPeakonline.com
- Mountpeakonline Android App
- Mountpeakonline iOS App
- Following Mobile Apps and Websites under (or a sub-domain of) the domains are covered as part of this policy –
-
-
-
- If you encounter any vulnerability on our systems while testing within the scope of this policy, stop your test and notify us immediately.
-
Out of Scope Vulnerabilities
-
-
- General software-related bugs (like SSL, older versions, etc.)
- Vulnerabilities related to SPF/DMARC/DKIM records, which do not result in demonstrated compromise
- Missing security headers etc. or other security best practices, which do not result in demonstrated compromise
- Vulnerabilities related to outdated app versions or browsers – exploits/vulnerabilities related to current versions and only in the latest browser versions are accepted
- Exploits that need MITM or physical access to the victim’s device
- Clickjacking related submissions
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Open redirect
- Missing CAA headers
- Stack traces, directory listings or path disclosure
- Self XSS
- Social engineering attacks, both against users or employees
- Issues on non-company assets like GitHub, Cloud Providers or others, which MountPeakonline.com may be using
- Forgot Password page brute-force and account lockout not enforced
- Lack of Captcha
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Session Timeouts
- Host Header Injection
- Exposed API keys without a clear demonstration of security impact
- Specifically, exposed Google Map APIs keys and keys in Android XML files are out of scope for now
-
General Rules – Do’s & Don’t
-
-
- Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Automated tools or scripts are strictly prohibited.
- Any POC submitted should have a proper step-by-step guide to reproduce the issue. As stated above, abuse of any vulnerability found shall be liable for legal penalties.
- Make every effort to avoid – privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Do not attempt to gain access to any other person’s account, data, or personal information.
- Do use their real email address to report any vulnerability information to us.
- Keep information about any vulnerabilities you have discovered confidential between yourself and MountPeakonline.com. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose is obtained from MountPeakonline.com.
- Do not use scanners or automated tools to find vulnerabilities.
- As a security researcher, you represent and warrant that you have the right, title, and interest to disclose any vulnerability found and to submit any information, including documents, and codes, among others, in connection therewith. Once you inform a vulnerability, you grant MountPeakonline.com, its subsidiaries, and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way MountPeakonline.com deems appropriate for any purpose. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by MountPeakonline.com.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
-
How to report
-
-
- The identified vulnerability should be reported to us by sending us a mail to security@MountPeakonline.com (Subject: Suspected Vulnerability at MountPeakonline.com App/Website). The mail should follow the format below:
Individual Details:
- Full Name
- Mobile Number
- Any Public profile (Twitter, LinkedIn, Github etc.)
- The identified vulnerability should be reported to us by sending us a mail to security@MountPeakonline.com (Subject: Suspected Vulnerability at MountPeakonline.com App/Website). The mail should follow the format below:
-
Bug Details:
-
-
-
- Name of the Vulnerability
- Affected Application
- Vulnerable Endpoint & Parameter
- Impact
- Detailed steps to reproduce
- Remediation
-
-
Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors, or open-source projects.
Recognition
-
-
- We may at our sole discretion send out MountPeakonline.com Swag in some cases.
-
Eligibility for Recognition
-
-
- Must be the first person to responsibly disclose the vulnerability.
- Vulnerability discovered must be found when testing within the scope of this policy.
- Reported vulnerability significantly impacts the security and integrity of MountPeakonline.com services or impacts the privacy of customer or partner data.
-
Mountpeakonline.com may at its sole discretion rate vulnerabilities as critical, high, medium, and low.