At Hudu, we love working with security researchers.
If you are a security researcher and believe you have found a potential security issue in the Hudu platform, please contact us. We will make every effort to quickly resolve the problem.
Submitting a Report
After creating a report, please send it to us here. Please read the following rules, policies, and information on response targets to make sure you are eligible for a reward.
Disclosure Policy and Program Rules
- A Proof of Concept (PoC) is required for all reports.
- We may ask you to help confirm the fix.
- Please submit a detailed report with screenshots, steps on how to reproduce, and anything else that will help us validate your findings. If we can't reproduce the issue, then we can't award the report.
- If creating accounts, please keep to a limit of 3 accounts.
- Make a good faith effort to avoid the destruction of data, privacy violations, and anything that could degrade our service. Only interact with accounts you own.
- When there is a duplicate submission, we will only award the first report that was received (as long as it can be fully reproduced).
- Please only submit one vulnerability at a time (unless it requires additional context).
- Please refrain from:
- Social engineering (including phishing) of Hudu staff, contractors, or customers.
- Any physical attempts against Hudu property or data centers.
- Denial of service.
- Brute forcing.
Out of Scope
The following list is out of scope:
- Attacks requiring MITM or physical access to a user's device.
- Attacks requiring attacker control over a user's email account.
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
- Issues that require unlikely user interaction.
- Additional Out Of Scope Targets that are not built by us/related to our core software platform. These include, but are not limited to
- Hudu Social Media Accounts
- Blog.usehudu.com or blog.hudu.com
- Hudu HQ hq.hudu.com