Responsible Disclosure Program
SideFX welcomes and encourages security researcher reports regarding vulnerabilities within our online services.
- Please avoid any privacy violations, degradations and disruption to our production system during your testing.
- Do not attempt to brute-force or spam our systems.
- Whenever possible, please delete any content you generated on the website if no vulnerabilities are found. E.g. comments, image gallery, tutorials, etc.
- Please do not modify or destroy existing data.
- Please keep information disclosed confidential between yourself and SideFX, until we resolve the issue. We will make our best efforts to fix bugs in a sensible timeframe.
We encourage you to report the following:
- Cross Site Scripting
- Cross Site Request Forgery
- SQL Injection
- Unrestricted Server File System Access
- Authentication Issues
- Authorization Issues
- Account Hijacking
- Server-Side Code Execution Bugs
The following will be considered out of scope:
- Cookie valid after logout, password change/reset
- Cookie is not HttpOnly
- CSRF possible to logout user
- Any man-in-the-middle attack (i.e. session hijacking after getting session ID via MITM attack)
- Reflected XSS in preview mode of the Tutorials builder (tutorials are sanitized when submitted)
- Public mailing list (lists.sidefx.com) and Public FTP (ftp.sidefx.com) are intended to be public
- Username/email enumeration
- No maximum length restriction on passwords.
- Denial of Service attack
- Brute forcing
- General "best-practice" type reports without a clear impact or exploit are generally not accepted as qualifying bugs
- Issues with old browsers/plugins
- Vulnerability requiring social engineering or phishing to be performed
- UI and UX bugs
- Spelling and grammatical mistakes
Please include a short description of the vulnerability and clear steps to reproduce it in your report. Concrete security risk scenarios are valued higher than hypothetical ones.
Please send your report on the HackerOne platform at this address: https://hackerone.com/sidefx/
A reward may be awarded after verifying that the vulnerability is reproducible and has an impact to our customers. Each submission will be evaluated case-by-case. The decision and amount of the reward will be at the discretion of SideFX. If we receive multiple reports for the same issue from different parties, the reward will be granted to the first eligible submission.
Participants must be 14 years of age or older to participate or have their parent’s or legal guardian’s permission. Current employees of SideFX or immediate family members or household members of such employees may not participate.
Wall of Fame
SideFX would like to thank the following researchers for participating in our responsible disclosure program.
- Dhiren Kumar Pradhan
- Parikshit Pingle
- Gourab Sadhukhan
- Mohd Waseyuddin
- Aditya Kabra
- Souvik Mondal
- Bhupendra Rajbhar
- Kshitiz Raj