VHX is committed to protecting our customers' data and privacy. We greatly respect the work of security experts everywhere, and strive to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd love to hear from you.
Please review the scope and rules below before submitting a report. We promise to evaluate and respond to all valid reports within a reasonable amount of time. If your work helps us improve the security of our service. we'll be happy to acknowledge your contribution (/vhx/thanks).
* The VHX homepage at vhx.tv / ott.vimeo.com
* Any of VHX's apps
* VHX iOS App (https://itunes.apple.com/us/app/find-what-feels-good-yoga/id1050813703?mt=8), VHX tvOS App
* VHX Android App (https://play.google.com/store/apps/details?id=tv.vhx&hl=en)
* VHX Roku App (https://channelstore.roku.com/details/48061/vhx)
* Any of our branded apps
* Branded iOS App (https://itunes.apple.com/us/app/find-what-feels-good-yoga/id1050813703?mt=8)
* Branded Android App (https://play.google.com/store/apps/details?id=tv.vhx.yogawithadriene&hl=en)
* Branded Roku App (https://channelstore.roku.com/details/77809/yoga-with-adriene)
* The VHX embedded player on embed.vhx.tv
* The VHX API on api.vhx.tv. Our API docs (http://dev.vhx.tv/)
* Any of our hosted sites at *.vhx.tv, except for community.vhx.tv (And only if the issue that would affect every site, not how a current customer configured it)
* Missing HTTP security headers (unless you deliver a proof of concept that leverages their absence)
* Reports of window.opener redirects
* Reports from automated tools or scans
* Self-XSS (XSS exploits that cannot maliciously affect users besides yourself)
* User enumeration
* Rate limiting concerns related to login / password reset / password change / etc
* Denial of service attacks, do not perform them
* Homograph attacks
* Clickjacking reports for /login and /buy
* 3rd party sites used by VHX
* Subdomain takeovers where someone has signed up for an account, forwarded to an external site that doesn't exist/can be compromised
* RCE on sites that link or are redirected from *.VHX.TV and VHX.TV
* Subdomain takeovers that involve just signing up for a *.VHX.TV account. They only apply when it doesn't forward to our application platform.
* Brute forcing
* To receive credit, you must be the first reporter of a vulnerability and the ticket must go to triaged state
* Follow the HackerOne Vulnerability Disclosure Guidelines (https://hackerone.com/disclosure-guidelines)
* Don't attempt to access other people's private data. It's free to sign up as a VHX seller, so you should be able to set up example data on your own
* Don't DDoS or otherwise attack us in a way that would disrupt service for our customers
Please take the time to make a proof of concept that shows how a particular vulnerability is exploitable. You must be able to reproduce it on your own account(s). Reports from scanners will not be accepted.
Bounties are only rewarded, if appropriate, after the ticket has been resolved and the researcher has verified the fix. We do not award after triage. Bounty amounts are determined by a panel based on the type, severity, exposure, difficulty to exploit, quality of report and other factors.
Triage is generally done between 9:00 am and 4:30 pm Eastern M-F except for company holidays and special instances. (April 23-27 2018 we will only be triaging every 2-3 days) Please allow time to triage, this program was recently opened public and we are getting hit with the same requests that we need to go through properly, in order, to assure they are covered. We are not linking duplicates at this time.
Every triaged ticket is put into the developers on-line ticket system and given a priority (It might not match the one originally assigned by the researcher). The developers do have a stated timeline they are required to address the ticket based on severity, but given the recent public release of the program please be extra lenient on them. I regret this, but if you haven't heard on a ticket please don't send "Updates " or "??" emails as they will be ignored. If it is in triage state, it will be addressed as quickly as possible.
Hall of Fame