Vulnerability Disclosure Policy

Introduction

At Metron we are committed to protect the privacy and security of our customers. More than a position, we also believe in translating a statement into acts and behaviour.

Although we have worked to control and reduce security risks throughout our systems, improvements and vulnerabilities are still able to appear and we wish to get all the information on this matter that we can gather. 

We encourage individuals and groups of security researchers to study/analyse our platform to make it even safer. 

Our Vulnerability Disclosure Program (VDP) is intended to learn and deal with any security flaws found in our infrastructure and software.  If you believe you have found a security vulnerability in our platform, please contact us as soon as possible.  We will investigate all legitimate reports and do our best to address the issue quickly.  Before reporting the issue, please take a moment to review this page, which includes our disclosure policy, guidelines, rules, the program’s scope, potential rewards, and how to contact us.

Responsible Disclosure Policy

• You give us a reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
• You make a reasonable faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.)
• You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorised access to data.
• For this policy, you are not authorised to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Guidelines & Rules

Participating in our VDP requires you to follow our guidelines. Please adhere to the following guidelines to be eligible for rewards under this disclosure program:

• Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
• Don’t disrupt the accounts of other users or services.
• Don’t target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
• If you find a severe vulnerability that allows system access, you must not proceed further.
• Metron’s security team  decides and determines when and how bugs should be addressed and fixed.
• Disclosing bugs to a party other than Metron is forbidden; all bug reports are to remain at the reporter and Metron’s discretion.
• A threatening behaviour of any kind will automatically disqualify you from participating in the program.
• Exploiting or misusing the vulnerability for one's own benefit will automatically disqualify the report.
• Bug disclosure communications with the Metron Security team are to remain confidential. Researchers must destroy all artefacts created to find and/or document vulnerabilities (POC code, videos, screenshots) after the bug report is closed, which is the default state without feedback from us after 1 month.

Out of Scope Endpoints and Systems

Vulnerabilities on sites hosted by third parties unless they lead to a weakness on any scoped endpoint.

IN-SCOPE VULNERABILITIES

Generally speaking, any bug that poses a significant vulnerability can be eligible for a reward.  It is entirely at Metron’s discretion to decide whether a bug is significant enough to qualify for a reward. Security issues that typically would be eligible (but not necessarily in all cases) are:

• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Code Executions
• SQL injections
• Server-Side Request Forgery (SSRF)
• Privilege Escalations
• Authentication Bypasses
• File inclusions (Local & Remote)
• Protection Mechanism bypasses (CSRF bypass, etc.)
• XML external entity attacks
• Leakage of sensitive data (and its origins)
• Directory Traversal
• Administration portals without an authentication mechanism
• Open redirects which allow stealing tokens/secrets

OUT OF SCOPE VULNERABILITIES

Vulnerabilities that are not eligible for reward include:

• Social Engineering
• Lack of rate-limiting mechanisms
• Open redirects without a severe impact
• Application stack traces (path disclosures, etc.)
• Self-type Cross-Site Scripting / Self-XSS
• Vulnerabilities that require Man in the Middle (MiTM) attacks
• Denial of Service attacks
• CSRF issues on actions with minimal impact
• Cache Poisoning
• Clickjacking
• Incomplete or missing SPF/DMARC/DKIM records
• Brute force attacks
• Security practices (banner revealing a software version, missing security headers, etc.)
• Bugs that do not have security implications
• Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
• Vulnerabilities that are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Bugs that already are known to us, or previously reported by someone else (reward goes to the first reporter)
• Issues that aren’t reproducible

Reporting

Send an email to ciso@metronlab.com with information about the vulnerability and detailed steps on how to replicate it.

• The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
• The report should also contain as much information as you can–ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component.
• If you need to share screenshots/videos, please upload it to Google Drive (or any other upload service) and share with us the links to those files.

We will make every effort to respond to accurate reports within seven business days.

All assessments are considered final.

Ratings/Rewards

Ratings

For the initial prioritisation/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is essential to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded.

Rewards

At present, we can only offer non-cash rewards, including:

• A gift card from Amazon (www.amazon.com)

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law.