Hud™ app is a casual dating and hookup app with 8 million users that is honest about the realities of online dating.

Hud™ looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Hud™ will make a best effort to meet the following response targets for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

• You should be able to prove that there is a vulnerability using your own test account and your own data.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Test Plan and Guidance

Registering an account on Hud App

• Account registration is free, which will give you access to a BASIC account. However, the premium account requires a subscription.

• You may register free accounts on the Hud App with Apple ID, phone number or Facebook, When signing up with either Apple ID or Facebook will be asked to bind your phone number to the account. Each phone number will be only allowed to create ONE account on the Hud App. However, you may choose to create two accounts if you have two separate phone numbers.

• If you would like a premium account for testing purposes, you can request it from us at hackerone@hudapp.com and we will grant you one. Note: Your Hackerone account username and your HUD account username MUST be included in your request email.

• If your account gets suspended during the course of your testing, please contact us at hackerone@hudapp.com to un-suspend your account. Note: If you wish to contact support regarding your account and you are NOT a Hackerone member, please contact us at support@hudapp.com

• Please make sure you are NOT doing any types of DOS testing on our service, otherwise, your account will be suspended permanently.

• Please do NOT use noticeably fake pictures, celebs, or famous people on your account.

• Please deactivate your account after your testing.

Testing Focus Areas

We are happy to receive any in-scope vulnerabilities reports from our frontend App and backend services. In particular, we are concerned with:

• Vulnerabilities that expose our customers’ personally identifiable information

• Vulnerabilities that may allow for an attacker to take over another user’s account

Priority Assets

We have included all of our assets within the scope. However, we are primarily concerned with the following key assets associated with Hud App, which is our primary application.

• Hud App on Apple App Store: https://apps.apple.com/app/hud-1-hookup-app/id1042814349

• Hud App on Android Play Store Store: https://play.google.com/store/apps/details?id=com.hookupdating

• Primary API: https://prod-cloud.hookupdating.mobi/

• Real Time API: https://prod-realtime.hookupdating.mobi/

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able * to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Absence of certificate pinning

• Lack of obfuscation

• Exposure of Hud Android App AWS Key (ending with KDV4Q)

Contact us for questions

If you have any specific questions pertaining to the program scope and vulnerabilities, or face challenges while testing, please reach out to the Hud App Team at hackerone@hudapp.com. Please also CC the HackerOne Program Manager (muchfimuchfeelz@wearehackerone.com) in your email.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Hud™ and our users safe!