C2FO shares and appreciates your attention to security issues.
The safety of all data is our top priority; an absolute prerequisite for any business transaction C2FO may conduct. Support from our stakeholders and conscientious third parties augments our own vigilance in shielding customers from each and every detectable security risk.
The following URI and their subpages are within the scope of this program
C2FO does not accept bug reports outside of this scope.
C2FO maintains the following submission requirements for bugs:
1) Each bug should have its own entry. Entries which contain multiple bugs
will be closed with a "Not Applicable" designation with appropriate verbiage
informing you of this rule.
2) All bugs must contain an actionable and applicable proof-of-concept. Issues without a POC will be closed with a "Not Applicable" designation with appropriate verbiage informing you of this rule. An example of a POC violating this rule is the submission of a clickjacking finding which doesn't reference a URI which takes sensitive information (i.e. credentials) as input.
3) Bugs for missing "security" settings (i.e. SPF records, HTTP headers, etc) are not expected unless the submitter can provide a POC in accordance with rule 2 which demonstrates how the missing setting either allows the attacker to exploit the system or provide leverage leading to system exploitation.
The following finding types are specifically excluded from the bounty:
C2FO does not consider the absence of security headers a vulnerability. They are a possible remediation measure at best and the presence of the item they protect against is the security vulnerability. All submissions of these finding types will be returned as not applicable.
C2FO will verify and respond to all new vulnerabilities by 1000 Central time Monday through Friday. Once C2FO accepts a vulnerability for remedation, C2FO will provide weekly updates on Friday at 1000 Central time until the issue is closed.
C2FO currently does not offer cash bounties. All successful bugs are noted here. We are currently designing a reward program and will update this page when it becomes available.
C2FO would like to thank several individuals for help in discovering a vulnerability in one of our products. Thank you!
This program have been found on Hackerone on 2014-04-01.