{"id":8895,"date":"2023-08-23T12:07:23","date_gmt":"2023-08-23T06:37:23","guid":{"rendered":"https:\/\/stg.tftus.com\/?page_id=8895"},"modified":"2023-08-23T12:07:23","modified_gmt":"2023-08-23T06:37:23","slug":"vulnerability-disclosure-program","status":"publish","type":"page","link":"https:\/\/stg.tftus.com\/blogs\/vulnerability-disclosure-program\/","title":{"rendered":"Vulnerability Disclosure Program"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"8895\" class=\"elementor elementor-8895\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4f013d1 elementor-section-full_width container elementor-section-height-default elementor-section-height-default\" data-id=\"4f013d1\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4f7caef\" data-id=\"4f7caef\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-790601c elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"790601c\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-be5cc3b\" data-id=\"be5cc3b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e4ba50b elementor-widget elementor-widget-heading\" data-id=\"e4ba50b\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Vulnerability Disclosure Program<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8369d2e elementor-widget elementor-widget-text-editor\" data-id=\"8369d2e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<h2>\u00a0<\/h2><h2><b>Welcome to the TFT VDP Policy<\/b><\/h2><p><span style=\"font-weight: 400;\">At Think Future Technologies (TFT), security is paramount. We invite security researchers and ethical hackers to participate in our Vulnerability Disclosure Program. By reporting potential vulnerabilities and security issues in our technology services, libraries, solutions, and frameworks, you help us ensure the highest level of security for our clients. We value your expertise and partnership in enhancing our offerings and protecting our clients&#8217; business outcomes. Join us in building a safer technological future.<\/span><\/p><h3><strong>Disclosure Policy<\/strong><\/h3><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We request that you inform us promptly upon discovering a potential security vulnerability.Our team will work quickly to resolve the issue.\u00a0<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We ask for a reasonable time period to resolve the issue before it is disclosed to the public or any third-party.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.<\/span><\/li><\/ol><h3><strong>Reporting Guidelines<\/strong><\/h3><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You must include attachments such as screenshots or PoC code as necessary.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Include a clear attack scenario. How will this affect us exactly?<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.<\/span><\/li><\/ol><p><span style=\"font-weight: 400;\">If you have discovered any vulnerability in the TFT platform, please submit it to our vulnerability disclosure program hosted by BugBase<\/span><span style=\"font-weight: 400;\">.<\/span><\/p><p><a href=\"https:\/\/bugbase.in\/programs\/thinkfuturetechnologies\"><button style=\"font-weight: 600; display: inline-block; outline: 0; border: none; cursor: pointer; border-radius: 4px; font-size: 13px; height: 30px; background-color: #6ec1e4; color: white; padding: 0 10px;\">Visit BugBase<\/button><\/a><\/p><p style=\"text-align: center;\"><span style=\"font-weight: 400;\">OR<\/span><\/p><p><span style=\"font-weight: 400;\">The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to <\/span><a href=\"mailto:sirt@stg.tftus.com\"><span style=\"font-weight: 400;\">sirt@stg.tftus.com<\/span><\/a><span style=\"font-weight: 400;\"> with email containing below details with subject prefix with &#8220;Bug Name&#8221;. The mail should strictly follow the format below.<\/span><\/p><p style=\"text-align: left; padding-left: 40px;\"><span style=\"font-weight: 400;\">Subject: Bug:<\/span><span style=\"font-weight: 400;\"> Vulnerability Name &#8211; Your Full Name<\/span><\/p><p style=\"text-align: left; padding-left: 40px;\"><span style=\"font-weight: 400;\">Email body:<\/span><\/p><ul class=\"email-body\"><li style=\"list-style-type: none;\"><ul class=\"email-body\" style=\"text-align: left;\"><li style=\"font-weight: 400;\" aria-level=\"1\">Vulnerability Information:<br \/><ul class=\"email-body\"><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Name of Vulnerability:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Vulnerability Category:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Description:<\/span><br \/><ul class=\"email-body\"><li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Vulnerable Instances:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Steps to Reproduce:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Proof of Concept:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Impact:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Recommendation:<\/span><\/li><\/ul><\/li><\/ul><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Your details:<\/span><br \/><ul class=\"email-body\"><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Full Name:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Email Address:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Mobile Number:<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Any Publicly Identifiable profile:<\/span><\/li><\/ul><\/li><\/ul><\/li><\/ul><p style=\"text-align: left; padding-left: 40px;\"><span style=\"font-weight: 400;\">Note: The TFT security team will review the submission and revert back within 7 working days.<\/span><\/p><h3><strong>Security Focus Areas<\/strong><span style=\"font-weight: 400;\"><br \/><\/span><\/h3><p><span style=\"font-weight: 400;\">At TFT&#8217;s Vulnerability Disclosure Program, we prioritize the discovery of security vulnerabilities that directly impact the integrity and confidentiality of our technology ecosystem. We highly appreciate your efforts in helping us identify and rectify potential threats. Our program focuses on the following critical areas:<\/span><\/p><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Admin Panel: Uncovering vulnerabilities in our admin panel that could lead to unauthorized access or compromise of sensitive data.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open Ports: Identifying potential security risks associated with open ports, which could expose our systems to unauthorized external access.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Sensitive Information: Discovering instances where sensitive information might be inadequately protected, potentially leading to data leaks or unauthorized disclosures.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Contact Form: Highlighting vulnerabilities in our contact form to prevent potential exploits that might compromise user communication or data.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Form Submission: Examining the security of form submissions to ensure that user inputs are properly sanitized and validated to prevent potential attacks.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">File Upload on Career Section: Identifying weaknesses in the file upload functionality within our career section to prevent potential malicious file uploads or unauthorized access.<\/span><\/li><\/ol><h3><strong>Acknowledgements<\/strong><\/h3><p><span style=\"font-weight: 400;\">We currently don&#8217;t operate a bounty or cash reward initiative for disclosures; however, we have various ways to show our appreciation for your valuable input. In cases of sincere and ethical disclosures, we&#8217;re more than willing to recognize your contribution publicly. This recognition can take the form of an acknowledgement in the dedicated section on our website. Of course, we&#8217;ll proceed with this gesture only if you&#8217;re comfortable with receiving public acknowledgement.<\/span><\/p><h5><strong>Hall of Fame Criteria<\/strong><\/h5><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Your\u2019s name and profile, with valid critical and high finding will be displayed in our <\/span><a href=\"https:\/\/stg.tftus.com\/hall-of-fame\"><span style=\"font-weight: 400; color: #0356a8;\">&#8220;Hall of Fame&#8221;<\/span><\/a><span style=\"font-weight: 400;\"> page<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Your\u2019s name and profile, with more than 5 new valid medium and low findings within 90 days, will also be displayed in our <\/span><a href=\"https:\/\/stg.tftus.com\/hall-of-fame\"><span style=\"font-weight: 400; color: #0356a8;\">&#8220;Hall of Fame&#8221;<\/span><\/a><span style=\"font-weight: 400;\"> page<\/span><\/li><\/ol><h3><strong>Exclusions<\/strong><\/h3><h5>Out of Scope Domains<\/h5><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any subdomains of stg.tftus.com unless mentioned &#8220;in-scope&#8221;<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">All testing and staging environments are out of scope for this program<\/span><span style=\"font-weight: 400;\"><br \/><\/span><\/li><\/ol><p><span style=\"font-weight: 400;\">Reports falling into the categories listed below are considered out of scope for our VDP program. :<\/span><\/p><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Clickjacking on pages with no sensitive actions<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attacks requiring MITM or physical access to a user&#8217;s device<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any activity that could lead to the disruption of our service (DoS)<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Content spoofing and text injection issues without showing an attack vector\/without being able to modify HTML\/CSS<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Rate limiting or bruteforce issues on non-authentication endpoints<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Missing security headers<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Self XSS<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Missing HttpOnly or Secure flags on cookies<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Weak password policies<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Session hijacking<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Missing email best practices (Invalid, incomplete or missing SPF\/DKIM\/DMARC records, etc.)<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Software version disclosure \/ Banner identification issues \/ Descriptive error messages or headers (e.g. stack traces, application or server errors) \/ Known public files or directories disclosure (e.g. robots.txt, css\/images etc)<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Public Zero-day vulnerabilities that have had an official patch for less than 1 month<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Tabnabbing<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open redirect &#8211; unless an additional security impact can be demonstrated<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Issues that require exceedingly unlikely user interaction<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Spamming (e.g. SMS\/Email Bombing).<\/span><\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Welcome to the TFT VDP Policy At Think Future Technologies (TFT), security is paramount. We invite security researchers and ethical hackers to participate in our Vulnerability Disclosure Program. By reporting potential vulnerabilities and security issues in our technology services, libraries, solutions, and frameworks, you help us ensure the highest level of security for our clients. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-8895","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/pages\/8895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/comments?post=8895"}],"version-history":[{"count":0,"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/pages\/8895\/revisions"}],"wp:attachment":[{"href":"https:\/\/stg.tftus.com\/blogs\/wp-json\/wp\/v2\/media?parent=8895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}