We take the security of our systems seriously, and we welcome responsible security research. This page provide ways for security researchers to notify us of potential vulnerabilities within our platform.
Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience (such as Denial of Service and by modifying configurations), disruption to production systems, deletion or damage of resources, destruction of data during security testing, and targeting of our staff, investors, customers or physical environment (e.g. through spear phishing and physical testing);
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Halaxy until we’ve had a reasonable time (as a guide, at least 90 days) to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research (In the event of any non-compliance, we reserve all of our legal rights).
- Work with you to understand the issue, and resolve them if Halaxy considers it necessary
Please note that we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Reports from automated vulnerability scanners
- Any test that attempts to access records that do not belong to an account holder
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes, as well as HTTP 404 codes or pages, or other HTTP non-200 codes or pages
- Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
- Weak password policy implementation
- Use of a known-vulnerable libraries or frameworks (e.g. outdated JQuery or AngularJS) without a valid attack scenario
In reporting a vulnerability, we do not want to receive:
- Personally identifiable information (PII)
- Credit card holder data
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in our platform please send it to us by emailing security@halaxy.com. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, proof-of-concept code where applicable, and compressed screen captures are all helpful to us);
- The names of any test accounts you have created (where applicable); and
- Your contact information.