At Vend, we love fostering new relationships with the security community to find security vulnerabilities in order to keep Vend and its customers safe. Vend will make a best effort to respond to incoming reports within 5 business days and after validating a legitimate security issue, we generally set out to remediate within 90 days. We’ll try to keep you informed about our progress throughout the process.
This page is intended for security researchers. For general information about security at Vend, please see our main website (http://www.vendhq.com/security).
Update 22 January 2018
We've live again! Vend are back up to speed and ready for more vulnerability reports if you can find them ;)
Eligibility & Disclosure Policy
* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
* Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
* Multiple vulnerabilities caused by one underlying issue will be awarded once.
Test Accounts (IMPORTANT)
Vend regularly purges accounts that perform suspicious activities on our services. All accounts belonging to white hat researchers should end in "+hackerone" to prevent deletion and to qualify to participate in this program. (e.g. email@example.com). Please do not excessively create trial accounts on our systems to perform tests against the sign-up page.
Please Be Nice To Us
In the interest of the safety of our customers, employees, the Internet at large and you as a security researcher, and in order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:
* Do not run automated scans without checking with us first. They are often very noisy.
* Do not test the physical security of Vend offices, employees, equipment, etc
* Do not test using social engineering techniques (phishing, vishing, etc)
* Do not perform DoS or DDoS attacks.
* Do not test any third party hosted services (e.g. support.vendhq.com, Vend surveys served through e-mail and/or hosted by third-parties, etc)
* Do not perform any research or testing in violation of law.
* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
* Are respecting our 'Test Accounts' policy.
For now, only the following properties are in scope. We are starting small and will scale up over time. If you have any questions about scope, please ask us at firstname.lastname@example.org before performing any testing.
* www.vendhq.com - Our corporate website
* developers.vendhq.com - Allows integrators to develop on the Vend API
* your-store.vendhq.com - Vend point of sale and retail management where your-store is your assigned subdomain for the store you have registered when you created your account.
* your-store.vendecommerce.com - Vend ecommerce where your-store is your assigned subdomain for the store you have registered when you created your account.
* iPad App: https://itunes.apple.com/us/app/vend-register-pos-point-of-sale/id920603929
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
The following finding types are specifically excluded from our program:
* CSV injection
* Open redirects
* Login/logout CSRF
* Missing cookie flags on non-sensitive cookies
* Presence of autocomplete attribute on web forms
* XSS on your-store.vendecommerce.com is out of scope
* Attacks requiring physical access to a user's device
* Fingerprinting/banner disclosure on common/public services.
* Mail configuration issues including SPF, DKIM, DMARC settings
* Disclosure of known public files or directories, (e.g. robots.txt)
* Use of a known-vulnerable library (without evidence of exploitability)
* Vulnerabilities in third party applications which make use of the Vend API
* Vulnerabilities affecting users of unsupported or outdated browsers or platforms
* Any access to data where the targeted user needs to be operating a rooted mobile device
* "Self" XSS (we require evidence on how the XSS can be used to attack another Vend user)
* Password and account recovery policies, such as reset link expiration or password complexity
* Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
Vend operate a VDP and will reward hackers with reputation for valid bugs that have not been reported (duplicates) already. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Vend. Vend will triage all reports to determine the validity of the vulnerability, only once a report is confirmed as valid will Vend confirm and awarding reputation points based on the HackerOne recommended guidelines.
Thank you for helping keep Vend and our customers safe!
Hall of Fame