C2FO shares and appreciates your attention to security issues.

The safety of all data is our top priority; an absolute prerequisite for any business transaction C2FO may conduct. Support from our stakeholders and conscientious third parties augments our own vigilance in shielding customers from each and every detectable security risk.

Rules of Engagement

Scope

The following URI and their subpages are within the scope of this program

1) https://c2fo.com __
2) https://app.c2fo.com __
3) https://admin.c2fo.com __

C2FO does not accept bug reports outside of this scope.

Bug Submission

C2FO maintains the following submission requirements for bugs:

1) Each bug should have its own entry. Entries which contain multiple bugs will be closed with a "Not Applicable" designation with appropriate verbiage informing you of this rule.
2) All bugs must contain an actionable and applicable proof-of-concept. Issues without a POC will be closed with a "Not Applicable" designation with appropriate verbiage informing you of this rule. An example of a POC violating this rule is the submission of a clickjacking finding which doesn't reference a URI which takes sensitive information (i.e. credentials) as input.
3) Bugs for missing "security" settings (i.e. SPF records, HTTP headers, etc) are not expected unless the submitter can provide a POC in accordance with rule 2 which demonstrates how the missing setting either allows the attacker to exploit the system or provide leverage leading to system exploitation.

Items which are not in scope for bounties

The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• Self-XSS and issues exploitable only through Self-XSS.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password

The Lack of Security Headers

C2FO does not consider the absence of security headers a vulnerability. They are a possible remediation measure at best and the presence of the item they protect against is the security vulnerability. All submissions of these finding types will be returned as not applicable.

C2FO Response

C2FO will verify and respond to all new vulnerabilities by 1000 Central time Monday through Friday. Once C2FO accepts a vulnerability for remedation, C2FO will provide weekly updates on Friday at 1000 Central time until the issue is closed.

Bounties

C2FO currently does not offer cash bounties. All successful bugs are noted here. We are currently designing a reward program and will update this page when it becomes available.

Thank You

C2FO would like to thank several individuals for help in discovering a vulnerability in one of our products. Thank you!