At Hudu, we love working with security researchers.
If you are a security researcher, and believe you have found a potential security issue in the Hudu platform, please contact us. We will make every effort to quickly resolve the problem.
Submitting a Report
After creating a report, please send it to email@example.com. Please read the following rules, policies, and information on response targets to make sure you are eligible for a reward.
Hudu Response Targets
Hudu will make a best effort to meet the following SLAs for researchers participating in the program. We will do our best to keep you informed through the process.
|Type of response||SLA|
|First Response||1 day|
|Time To Triage||2 days|
|Time to Resolution||Depends on severity and complexity|
Disclosure Policy and Program Rules
- A Proof of Concept (PoC) is required for all reports
- We may ask you to help confirm the fix
- Please submit a detailed report with screenshots, steps on how reproduce, and anything else that will help us validate your findings. If we can't reproduce the issue, then we can't award the report.
- If creating accounts, please keep to a limit of 3 accounts
- Make a good faith effort to avoid destruction of data, privacy violations, and anything that could degrade our service. Only interact with accounts you own.
- When there is a duplicate submission, we will only award the first report that was received (as long as it can be fully reproduced).
- Please only submit one vulnerability at a time (unless it requires additional context)
- Please refrain from:
- Social engineering (including phishing) of Hudu staff, contractors, or customers
- Any physical attempts against Hudu property or data centers
- Denial of service
- Brute forcing
The Following List is Out of Scope
- Attacks requiring MITM or physical access to a user's device.
- Attacks requiring attacker control over a user's email account
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Issues that require unlikely user interaction
- Additional Out Of Scope Targets (we don't own these properties, they are hosted on other software):
- Hudu Social Media Accounts
- Hudu.com (our marketing website, hosted on Netlify.com)