Hudu Vulnerability Disclosure Program

At Hudu, we love working with security researchers.

If you are a security researcher and believe you have found a potential security issue in the Hudu platform, please contact us. We will make every effort to quickly resolve the problem.

 

Submitting a Report

After creating a report, please send it to us here. Please read the following rules, policies, and information on response targets to make sure you are eligible for a reward.

 

Disclosure Policy and Program Rules

  • A Proof of Concept (PoC) is required for all reports.
  • We may ask you to help confirm the fix.
  • Please submit a detailed report with screenshots, steps on how to reproduce, and anything else that will help us validate your findings. If we can't reproduce the issue, then we can't award the report.
  • If creating accounts, please keep to a limit of 3 accounts.
  • Make a good faith effort to avoid the destruction of data, privacy violations, and anything that could degrade our service. Only interact with accounts you own.
  • When there is a duplicate submission, we will only award the first report that was received (as long as it can be fully reproduced).
  • Please only submit one vulnerability at a time (unless it requires additional context).
  • Please refrain from:
    • Social engineering (including phishing) of Hudu staff, contractors, or customers.
    • Any physical attempts against Hudu property or data centers.
    • Denial of service.
    • Brute forcing.
    • Spamming.

 

Out of Scope

The following list is out of scope:

  • Attacks requiring MITM or physical access to a user's device.
  • Attacks requiring attacker control over a user's email account.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
  • Tabnabbing.
  • Issues that require unlikely user interaction.
  • Additional Out Of Scope Targets that are not built by us/related to our core software platform. These include, but are not limited to
    • support.usehudu.com
    • community.hudu.com
    • feedback.hudu.com
    • Hudu Social Media Accounts
    • Hudu.com
    • Blog.usehudu.com or blog.hudu.com
    • Hudu HQ hq.hudu.com

 

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
 
Thank you for helping keep Hudu and our users safe!
 
Was this article helpful?
0 out of 0 found this helpful