Transparency, information and collaboration are values that we care here in
No technology is perfect, and SecNews believes that working with skilled
security researchers across the globe is crucial in identifying weaknesses in
We are always interested in how we can make our website and our infrastructure
more secure. Anyone knows how the power of the security researcher community
can help an entity to achieve results more quickly and more effectively than
can achieve on their own resources.
For all the above reasons, we are announcing SecNews vulnerability disclosure
and bug bounty program in cooperation with HackerOne bug reporting platform.
The vulnerabilities identified in the HackerOne reports will be classified by
the degree of risk as well as the impact they present to the host system, this
includes the amount and type of data exposed, privilege level obtained,
proportion of systems or users affected.
Do not try to further pivot into the network by using a vulnerability. The
rules around Remote Code Execution (RCE) are listed below. Do not try to
exploit service providers we use, prohibited actions include, but are not
limited to bruteforcing login credentials of Domain Registrars, DNS Hosting
Companies, Email Providers and/or others. SecNews does not authorize you to
perform any actions to a non-SecNews owned property/system/service/data.
If you believe you've found a security issue or vulnerability that can impact
SecNews website, infrastructure or our users and visitors, we encourage you to
notify us the soonest possible. We will investigate all legitimate reports and
do our best to fix any security vulnerability.
We are more than happy to work with all of you to resolve the issue and from
our side we ask to be aligned with SecNews Disclosure Policy and Guidelines .
Thank you for helping keep SecNews and our users safe!
Any web properties owned by SecNews are in scope for the program.While many of
our web properties are in-scope for submissions, not all are eligible for
- www.secnews.gr __SecNews visitors or authors are out of scope for our Vulnerability Disclosure program.
- *.secnews.gr (en.secnews.gr,fr.secnews.gr ...etc). These are translated versions of our website running in external service (IN scope for submissions but eligible for small bounties).
In order for your submission to be eligible:
- You must agree to our Disclosure Policy.
- You must be the first person to responsibly disclose an unknown issue.
All legitimate reports will be reviewed and assessed by SecNews's security
team to determine if it is eligible.
We cannot accept submissions from children under the age of 13. Reporters
under the age of 13 will not be eligible to receive SecNews rewards. We will
find another way to recognize your effort.
For each eligible vulnerability report, the reporter will receive one, part or
maybe all of the below items & services according to the final reward panel
- Recognition on our webpage secnews.gr, in the top slider for more than 6 weeks . Promotion of the reporter to the social media and through our mailing list.
- Article about the reporter or a full interview (only if the reporter wants publicity)
- A limited edition of an EXCLUSIVE SecNews t-shirt.
- If the vulnerability reported is severe and of high importance a reward amount in range from 50€ - 3000€ is also provided.
- The amounts listed are for good quality reports that don't require complex or unlikely user interaction
- Less convincing or more constrained bug submissions will likely qualify for reduced reward amounts, as chosen at the discretion of the reward panel.
- On top of these rewards, we offer either a range of 50€ - 500€ if a well-written patch is provided with the report. The amount for this reward is determined by the panel based on the quality and the effort required to write a good patch for the bug. Monetary compensation is offered under the program under specific circumstances and according to the rules above.
Monetary bonus for IP Address and/or header identification:
There is a possibility that traffic generated by researchers can be
categorized as malicious. Providing additional information allows us to
identify your traffic. Researchers who are willing to put this information and
provide it in a report will be eligible for a small additional monetary bonus.
This can be done by adding the following header to your request:
Accepted, in-scope vulnerabilities include, but are not limited to:
- Disclosure of sensitive or personally identifiable information
- Server-side or remote code execution (RCE)
- Authentication bypass
- Injection vulnerabilities, including SQL and XML injection
- Directory traversal
- Significant security misconfiguration with a verifiable vulnerability
- Exposed credentials that pose a valid risk to an in scope asset
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Reports from automated tools or scans
- Reports affecting outdated browsers
- Denial of Service Attacks
- Issues without clearly identified security impact (such as clickjacking on a static website) or speculative theoretical exploitability - for example using steal the auth cookies, identifying Nginx version, but not being able to perform any attack.
- Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)
- Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these.
- Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)
- Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)
- Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user
- Lack of HTTPS
- Reports about insecure SSL / TLS configuration
- Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address has a SecNews-related account
- Presence/Lack of autocomplete attribute on web forms/password managers.
- Server Banner Disclosure/Technology used Disclosure
- Full Path Disclosure
- IP Address Disclosure
- CSRF on logout or insignificant functionalities
- Publicly accessible login panels
- CSS Injection attacks. (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)
- Host Header Injection (Unless it gives you access to interim proxies)
- Cache Poisoning
- Reflective File Download
- Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom Origin header that do not specifically show a valid attack scenario
- PRSSI - Path-relative stylesheet import vulnerabilities (without a impactful exploitation scenario - for example stealing CSRF-tokens)
- OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
- Cookie scoped to parent domain or anything related to the path missconfiguration and improperly scoped
- Private IP/Hostname disclosures or real IP disclosures for services using CDN
- Open ports which do not lead directly to a vulnerability
- Our policies on presence/absence of SPF / DKIM / DMARC records
- Lack of DNS CAA and DNS-related configurations
- Weak Certificate Hash Algorithm
- Social engineering of SecNews employees or contractors
- Any physical/wireless attempt against SecNews property or data center
- Account enumeration
Please submit your report by clicking on the “Submit Report” button, your
submission will be reviewed and validated by a member of the SecNews Security
team. Providing clear and concise steps to reproduce the issue will help to
expedite the response. As a bare minimum, please include in your report:
- List the URL and any affected parameters
- Describe the browser, OS, and/or app version
- Describe the perceived impact. How could the bug potentially be exploited?
Bug Submission Requirements
For all submissions, please include:
- Full description of the vulnerability being reported, including the exploitability and impact
- Evidence and explanation of all steps required to reproduce the submission, which may include:
- Exploit code
- Traffic logs
- Web/API requests and responses
- Email address or user ID of any test accounts
- IP address used during testing
- For RCE submissions, see below
- Failure to include any of the above items may delay or jeopardize the Bounty Payment
Public Disclosure Policy
- SecNews will not be publicly disclosing reports at this time. If and when SecNews does disclose a report, it will be mutually agreed upon with the hacker.
- SecNews reserves the right to deny any request for public disclosure. If a hacker publicly discloses without consent, they run the risk of a program ban.
- Follow HackerOne's disclosure guidelines __.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our website. Only interact with accounts you own or with explicit permission of the account holder.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
- You agree that You shall not, without the prior written consent of SecNews in each instance (i) use in advertising, publicity or otherwise the name of SecNews or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by SecNews or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by SecNews or its Affiliates.
- You agree that any and all information acquired or accessed by You as part of this exercise is confidential to SecNews and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
- You acknowledge and agree that any and all information you encounter is owned by SecNews or its third party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.
- SecNews may modify the terms of this policy or terminate the policy at any time.
- Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
- Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.
Remote Code Execution (RCE) Policy
Vulnerabilities which allow execution of code on the application server or
shell command on the server itself should be run in accordance to this policy.
Prohibited actions when conducting RCE attempts:
- Altering or uploading files on the web server. (In case of file-upload functionality upload of webshells is prohibited, try uploading echo, info or any variable/info-based invocation code)
- Altering file permissions
- Altering/Modifying/Deleting any files on the system.
- Copying any files from the system and disclosing them to a non SecNews site or entity
- Interrupting the normal operation of the server.
- Any type of establishment for persistent connection mechanisms (reverse tunnel, etc) are prohibited.
Payments are made through HackerOne only. You are responsible for paying any
taxes associated with rewards. We reserve the right to modify the terms of
this program or terminate this program at any time. By participating in this
program, you agree to be bound by these rules. You must comply with all
applicable laws in connection with your participation in this program.
Thank you for helping keep SecNews and our daily visitors safe!