Search…
⌃K
Links

Vulnerability Disclosure

Responsible Vulnerability Disclosure Program

Overview

The information provided in this page is intended for security researchers who want to report discovered security vulnerabilities to our internal security team.
At Genius Yield, we are taking the security of our users very seriously. If you believe you have discovered a potential security vulnerability within the program scope, please help us fix it as quickly as possible by reporting your findings to us in accordance with our guidelines described below.
Security is taken extremely seriously at Genius Yield, that is why our Security team investigates all reported vulnerabilities.

Program Scope

The scope of this program is limited to the following websites :
  • www.geniusyield.co
  • www.genius-x.co
  • academy.geniusyield.co
The scope of this program does not include any information or results published by our customers regarding our platform or services. Since we do not own these assets, we are unable to authorize testing of any such systems or domains, in accordance with our Safe Harbor statement.

Program Guidelines

At Genius Yield, we recognize the important role of security researcher to help us build a more secure future.
If you discover a vulnerability in the scope describe above, please notify us using the following guidelines at [email protected] :
  • Please share the security issue with us before making it public
  • Please wait until we notify you that the vulnerability has been resolved before you disclose it publicly. Some vulnerabilities can take longer than others to resolve.
  • Avoid any violation of privacy, manipulation or destruction of data, degradation to user experience, and system or platform disruptions including, but expressly limited to automated scanners that generate high traffic volume, exploiting an identified security vulnerability beyond the extent necessary to confirm the finding.
  • Please provide full details of the security issue, including Proof-of-Concept (POC), steps to reproduce the issue and the details of the system where the tests were conducted.
  • To receive credit, you must be the first to report the vulnerability, and you must provide us a reasonable amount of time to remediate before you disclose the issue publicly.
  • We want to publicly acknowledge and thank members of our community for reporting a vulnerability. Please let us know if you would like to appear on our Hall of Fame.

Eligible vulnerabilities

We encourage the disclosure of the following Web vulnerabilities that could affect the confidentiality, integrity and availability of our services :
  • Authentication/Authorization bypass
  • Cross-site scripting (XSS)
  • Cryptography
  • Cross-site request forgery (CSRF) in a privileged context
  • Directory traversal
  • HTTP response splitting
  • Injection vulnerabilities
  • Sensitive information leakage
  • Server-side code execution/remote code execution
  • Significant security misconfiguration
  • URL redirector abuse
  • XML attacks
  • Server-Side Request Forgery (SSRF)

Exclusions

While we welcome information about any potential issue that can affect the security of Genius Yield or our customers, we exclude the following issues from this program unless you demonstrate that the issue can be exploited :
  • Bugs that do not pose any security risk
  • User enumeration and Brute Force attacks
  • Denial of Service attacks
  • CSRF in actions that are non-significant (e.g., logout) or do not require authentication (or a session) to exploit
  • CSV Injection
  • Framing and clickjacking vulnerabilities without a documented series of clicks that produce a real security impact
  • Insecure cookie settings for non-sensitive cookies
  • Invalid or missing SPF (Sender Policy Framework) records
  • Issues relating to Password Policy
  • Lack of security mechanism or inconsistency with best practices without demonstrating a real security impact (e.g., lack of security headers)
  • Non-sensitive information disclosure (such as product version, path, etc.)
  • Missing HTTP Headers
  • "Scanner output" or scanner-generated reports
  • Security issues in services that are not operated by Genius Yield
  • Self-XSS without demonstrating a real impact for users
  • Spam or Social Engineering techniques
  • SSL/TLS misconfigurations (e.g., weak cipher-suites)
  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Vulnerabilities that only affect users of outdated or unpatched browsers

Reporting a vulnerability

Before sending us your report at [email protected], please ensure that you provide all the information requested. Report without complete information slow down our ability to repair the vulnerability and might not be processed until we receive the requested information.
To make the review process effective and efficient, we suggest you to include the following information :
  • A brief description of the issue found and the impact
  • Proof-of-Concept and the information of affected parameter
  • Detailed steps to reproduce the vulnerability
  • Possible attack scenario and/or description how the vulnerability could be exploited
  • Your name and a link to your website or social media for recognition in our Hall of Fame (optional)

Safe Harbor

All activities which are conducted with good intentions in accordance with this program will be considered authorized conduct. Genius Yield will not initiate any legal action against you for conducting such activities. In case that legal action is taken by a third party against you in relation to the activities conducted under this program, Genius Yield will take commercially reasonable actions to make it known to the third party that your actions were authorized and conducted in compliance with this Program.

General

Genius Yield reserves the right to change or discontinue the terms and conditions of this Reasonable Vulnerability Disclosure Program at any time without notice. Genius Yield also reserves the right of making the final decision on the interpretation of the terms and conditions of this Responsible Vulnerability Disclosure Program.