5587 policies in database
Link to program      
2019-09-13
2019-09-15
Naspers logo
Thank
Gift
HOF
Reward

Naspers

Naspers values the input of the security community to create a more secure Internet and welcomes the opportunity to collaborate with community members who share this common goal.

This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Naspers's public online presence. Please review the program contents before submitting your findings.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
*.naspers.com | Website Testing
*.naspers.fr | Website Testing
*.naspers.us | Website Testing
*.naspersventures.com | Website Testing
*.naspers.co | Website Testing
*.naspers.co.in | Website Testing
*.prosus.com | Website Testing

Out of scope

Target name | Type
---|---
development.naspers.com | Website Testing
development-nasperspolicy.naspers.com | Website Testing
development-naspersbrand.naspers.com | Website Testing
development-prosus.naspers.com | Website Testing

Testing is only authorized on the target listed as In-Scope. _Any domain/property of Naspers not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting._


Target Information

Web Applications:

https://www.naspers.com is our corporate website. Researchers are invited to test all aspects of this application by following the guidelines detailed in this program.

Please note: no credentials will be provided for testing

Please do not use automated vulnerability scanners on this program. Custom scripts and fuzzing tools are permitted, but if using them, please keep your traffic to six requests per second or less. Additionally, it’s worth noting that the client already runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second.

Focus Areas:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Injection (XXE) with significant impact
  • Access Control Issues
  • Authentication Bypass Issues
  • Authorization Flaws
  • Privilege Escalation
  • Directory Traversal Issues
  • Sensitive Information Disclosure
  • Data Exposure
  • Business Logic Vulnerabilities

Out of Scope:

The following submission types will not be rewarded (as per Bugcrowd's Vulnerability Rating Taxonomy):

  • Denial of service (DoS) attacks
  • Findings as reported by automated tools without additional analysis as to how and what is vulnerable
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Spam reports
  • Phishing and social engineering reports
  • Targeted attacks against social media or third party services that Naspers use (LinkedIn, Twitter, etc)

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
web_application

*.naspers.com

web_application

*.naspersventures.com

web_application

*.prosus.com

web_application

*.naspers.fr

web_application

*.naspers.us

web_application

*.naspers.co

web_application

*.naspers.co.in

Out of Scope

Scope Type Scope Name
web_application

development.naspers.com

web_application

development-nasperspolicy.naspers.com

web_application

development-naspersbrand.naspers.com

web_application

development-prosus.naspers.com


The progam has been crawled by Firebounty on 2019-09-13 and updated on 2019-09-15, 92 reports have been received so far.

FireBounty © 2015-2020

Legal notices