No technology is perfect, and Gener8 believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, please be considerate of our customers, employees and systems:
When using a brute force or automated testing tools you MUST NOT exceed 1 request per second.
If you are using automated testing tools, you MUST NOT use multiple IP addresses or run them concurrently in a manner that would exceed the 1 RPS limit.
If you register accounts for testing purposes please observe the following:
MUST Register using your
wearehackerone.com email address OR include 'HackerOne' in your registration name.
MUST delete the account no more than 7 days after creating it.
MUST NOT create more than 10 accounts in a 7 day period.
MUST NOT create accounts with email addresses that you do not control and may otherwise be legitimate e.g.
MUST NOT purchase items from our marketplace in the following categories: Gift cards, Merchandise or Products.
While researching, we'd like to ask you to refrain from:
Any activity that could lead to the disruption of our service (DoS)
Social engineering (including phishing) of Gener8 staff or contractors
Any physical attempts against Gener8 property or data centers
When reporting vulnerabilities, please consider attack scenario / exploitability, and security impact of the bug. The following types of issue are considered out of scope:
Theoretical attacks without proof of exploitability
Session expiration bugs. We are aware that sessions do not expire immediately after exit and consider the risks mitigated by other safeguards we have in place.
Any vulnerability outside our control such as hosting providers or other third party vendors, unless we have not configured it securely using the settings made available to us by the vendor.
A report of a vulnerability resulting from a violation of the program guidelines
Invalid, incomplete or missing SPF/DKIM/DMARC records, on domains other than
Missing HttpOnly or Secure flags on cookies
Attacks requiring MITM or physical access to a user's device.
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Gener8 and our users safe!
|Scope Type||Scope Name|
|Scope Type||Scope Name|
This policy crawled by Onyphe on the 2020-07-21 is sorted as bounty.