A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@hostinger.com
Preferred-Languages: en


Hostinger International Ltd.

Hostinger International Ltd. Responsible Disclosure Policy and Bug Rewards Program

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES.

POLICY OF RESPONSIBLE DISCLOSURE:
At Hostinger International Ltd, we promote responsible disclosure of all security vulnerabilities on our website or in any of our services. To encourage this responsible disclosure, we agree that if, in Hostinger’s sole discretion, we settle that any disclosure meets complete guidelines of Bug Rewards Program of Hostinger International Ltd, we will not raise any criminal or private legal action counter to the disclosing party.


BUG REWARDS PROGRAM
Hostinger International Ltd. offers monetary bounties for the responsible disclosure of certain qualifying security vulnerabilities. Our Bug Rewards Program works as follows

SERVICES IN SCOPE:
All subdomains under hostinger.com are in-scope except the ones used in 3rd party services, e.g.:
  affiliates.hostinger.com
  statuspage.hostinger.com

QUALIFYING VULNERABILITIES:
Hostinger International Ltd. will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible Hostinger International Ltd. service. Eligible vulnerabilities include, but are not limited to:

Authentication and Authorization Flaws
Remote Code Execution
SQL Injection
Directory Traversal
Privilege Escalation

Non-Qualifying Vulnerabilities
If a domain is not contained inside hostinger.com, it will not be included in the scope of third party programs, plug-ins and the Bug Rewards Program.

All researchers participating in the Bug Rewards Program may please note that certain actions do not come within the scope of this program. The non-qualifying actions under the Bug Rewards Program are:

Click-jacking
Cross Site Scripting (XSS)
Phishing attacks
Missing SPF/DKIM/DMARC records
Cross Site Request Forgery (CSRF)
Physical attacks
DoS, DdoS attacks, user enumeration or brute force
Bugs dependent on Social engineering
Directory listing (unless sensitive data is found)
Blackhat SEO strategies
Bugs depending on out-of-date browsers
BEAST/ CRIME attacks
Logout CSRF
Version or Banner disclosures
Any reports generated from computerized vulnerability scanners are not accepted at Hostinger.

BOUNTIES:
All bounties are awarded at the discretion of the Hostinger International Ltd. Bug Rewards Team, based on the severity of the reported vulnerability. Where an award is made, the minimum amount of the bounty will be Fifty Dollars ($50.00). Only one (1) bounty will be awarded per security bug. The awards will be made to the first researcher to responsibly disclose a particular bug.

Investigating and Reporting:

The security researcher submitting a vulnerability must thoroughly vet and confirm the vulnerability prior to submission. All submissions must include the following:

Steps to reproduce the vulnerability; and
A clear description of any accounts used in your report and any relationships between them.
To report a vulnerability, please send an email to security@hostinger.com

BEST PRACTICES FOR GOOD REPORTS
Making a detailed and step by step report for bug reproducing is recommended. Please include all details such as links clicked, User Ids and links of web pages visited.
Adding more details such as images and videos helps make it clear. Do add any image captions or brief descriptions wherever possible to make the information more useful.
Vulnerability verification becomes easier and quicker by using consistently reliable exploit code.

CONFIDENTIALITY
All information and data accessed or collected under the Bug Rewards Program about Hostinger’s employees or Hostinger International Ltd, has to be kept absolutely confidential and to be used only for actions directly connected to the Program. Any confidential information needs Hostinger’s written consent before it’s disclosure. Vulnerabilities can be disclosed only after all suitable remediation has been completed.  If any confidential information is disclosed without Hostinger’s prior written consent, it will lead to an immediate elimination from the Program.

LEGAL
When you participate in Hostinger’s Bug Rewards Program, you confirm that you have read and understood Hostinger’s Privacy Policy and Universal Terms of Service Agreement. Any of your testing actions should not disrupt any services, compromise any data that’s not yours or violate any applicable law.  You further confirm that you will be solely responsible for all withholdings and taxes that directly arise when you participate in the Bug Rewards Program of Hostinger, including the rewards received.
If and when Hostinger uses any third-party service provider to manage its Bug Rewards Program, the provider’s terms and conditions will be applicable. Hostinger has the final discretion to pay or not pay the reward. Since this is a discretionary rewards program, it is liable for cancellation at any given time.