07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.
Issues that savedroid AG would consider to be critical impact include:
Transfer SVD without Balance
Access to Hot Wallets, personal wallet to store the SVD's and trade the crypto SVD's.
Buy Crypto without paying for it
Get the other user private data
Authentication bypass in apps
Changing critical functionality of a system which may lead to severe system misuse
Issues that savedroid AG would consider to be High impact include:
Cross account access in apps
Stored cross-site scripting (XSS) that can affect other users
Flaws that could be used to exploit 3rd-party integration services
Unauthorized configuration changes to installed Infrastructure agents
Remote code execution (RCE) on savedroid backend services
Ability to write data in misconfigured S3 buckets
Private Key Leakage
Issues that savedroid AG would consider to be medium impact include:
Insufficient validation of incoming URI handler calls for mobile applications
leading to information disclosure
Misconfigurations resulting in information leaks
Issues that savedroid AG would consider to be low impact :
Information leaks (e.g. directory listing, first name and last name of a user)
Data leaks from internal systems
savedroid AG __specialises in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.
savedroid AG aims to keep its Service safe for everyone, and data security is
of the utmost priority.
savedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy.
We have included a document that will help you get to know Savedroid a little
better with some frequently asked questions.
SaveDroid will make a best effort to meet the following response targets for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Please note you are not permitted to access, download or modify data residing
in any other Account, or one that is not registered to you.
You are also prohibited from:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep SaveDroid and our users safe!
|Scope Type||Scope Name|
Firebounty have crawled on 2019-08-09 the programe savedroid on the platform Hackerone.