Hudu Vulnerability Disclosure Program

  • Updated

At Hudu, we love working with security researchers.

If you are a security researcher, and believe you have found a potential security issue in the Hudu platform, please contact us. We will make every effort to quickly resolve the problem.

Submitting a Report

After creating a report, please send it to security@hudu.com. Please read the following rules, policies, and information on response targets to make sure you are eligible for a reward.

Hudu Response Targets

Hudu will make a best effort to meet the following SLAs for researchers participating in the program. We will do our best to keep you informed through the process.

Type of response SLA
First Response 1 day
Time To Triage 2 days
Time to Resolution Depends on severity and complexity

 

Disclosure Policy and Program Rules

  • A Proof of Concept (PoC) is required for all reports
  • We may ask you to help confirm the fix
  • Please submit a detailed report with screenshots, steps on how reproduce, and anything else that will help us validate your findings. If we can't reproduce the issue, then we can't award the report.
  • If creating accounts, please keep to a limit of 3 accounts
  • Make a good faith effort to avoid destruction of data, privacy violations, and anything that could degrade our service. Only interact with accounts you own.
  • When there is a duplicate submission, we will only award the first report that was received (as long as it can be fully reproduced).
  • Please only submit one vulnerability at a time (unless it requires additional context)
  • Please refrain from:
    • Social engineering (including phishing) of Hudu staff, contractors, or customers
    • Any physical attempts against Hudu property or data centers
    • Denial of service
    • Brute forcing
    • Spamming

The Following List is Out of Scope

  • Attacks requiring MITM or physical access to a user's device.
  • Attacks requiring attacker control over a user's email account
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing
  • Issues that require unlikely user interaction
  • Additional Out Of Scope Targets (we don't own these properties, they are hosted on other software): 
    • support.usehudu.com
    • community.hudu.com
    • feedback.hudu.com
    • Hudu Social Media Accounts
    • Hudu.com (our marketing website, hosted on Netlify.com) 

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
 
Thank you for helping keep Hudu and our users safe!

Still have questions?

Contact us