Vulnerability Disclosure
Responsible Vulnerability Disclosure Program
Overview
The information provided in this page is intended for security researchers who want to report discovered security vulnerabilities to our internal security team.
At Genius Yield, we are taking the security of our users very seriously. If you believe you have discovered a potential security vulnerability within the program scope, please help us fix it as quickly as possible by reporting your findings to us in accordance with our guidelines described below.
Security is taken extremely seriously at Genius Yield, that is why our Security team investigates all reported vulnerabilities.
Program Scope
The scope of this program is limited to the following websites :
www.geniusyield.co
www.genius-x.co
academy.geniusyield.co
The scope of this program does not include any information or results published by our customers regarding our platform or services. Since we do not own these assets, we are unable to authorize testing of any such systems or domains, in accordance with our Safe Harbor statement.
Program Guidelines
At Genius Yield, we recognize the important role of security researcher to help us build a more secure future.
If you discover a vulnerability in the scope describe above, please notify us using the following guidelines at security@geniusyield.co :
Please share the security issue with us before making it public
Please wait until we notify you that the vulnerability has been resolved before you disclose it publicly. Some vulnerabilities can take longer than others to resolve.
Avoid any violation of privacy, manipulation or destruction of data, degradation to user experience, and system or platform disruptions including, but expressly limited to automated scanners that generate high traffic volume, exploiting an identified security vulnerability beyond the extent necessary to confirm the finding.
Please provide full details of the security issue, including Proof-of-Concept (POC), steps to reproduce the issue and the details of the system where the tests were conducted.
To receive credit, you must be the first to report the vulnerability, and you must provide us a reasonable amount of time to remediate before you disclose the issue publicly.
We want to publicly acknowledge and thank members of our community for reporting a vulnerability. Please let us know if you would like to appear on our Hall of Fame.
Eligible vulnerabilities
We encourage the disclosure of the following Web vulnerabilities that could affect the confidentiality, integrity and availability of our services :
Authentication/Authorization bypass
Cross-site scripting (XSS)
Cryptography
Cross-site request forgery (CSRF) in a privileged context
Directory traversal
HTTP response splitting
Injection vulnerabilities
Sensitive information leakage
Server-side code execution/remote code execution
Significant security misconfiguration
URL redirector abuse
XML attacks
Server-Side Request Forgery (SSRF)
Exclusions
While we welcome information about any potential issue that can affect the security of Genius Yield or our customers, we exclude the following issues from this program unless you demonstrate that the issue can be exploited :
Bugs that do not pose any security risk
User enumeration and Brute Force attacks
Denial of Service attacks
CSRF in actions that are non-significant (e.g., logout) or do not require authentication (or a session) to exploit
CSV Injection
Framing and clickjacking vulnerabilities without a documented series of clicks that produce a real security impact
Insecure cookie settings for non-sensitive cookies
Invalid or missing SPF (Sender Policy Framework) records
Issues relating to Password Policy
Lack of security mechanism or inconsistency with best practices without demonstrating a real security impact (e.g., lack of security headers)
Non-sensitive information disclosure (such as product version, path, etc.)
Missing HTTP Headers
"Scanner output" or scanner-generated reports
Security issues in services that are not operated by Genius Yield
Self-XSS without demonstrating a real impact for users
Spam or Social Engineering techniques
SSL/TLS misconfigurations (e.g., weak cipher-suites)
Vulnerabilities requiring physical access to the victim's unlocked device
Vulnerabilities that only affect users of outdated or unpatched browsers
Reporting a vulnerability
Before sending us your report at security@geniusyield.co, please ensure that you provide all the information requested. Report without complete information slow down our ability to repair the vulnerability and might not be processed until we receive the requested information.
To make the review process effective and efficient, we suggest you to include the following information :
A brief description of the issue found and the impact
Proof-of-Concept and the information of affected parameter
Detailed steps to reproduce the vulnerability
Possible attack scenario and/or description how the vulnerability could be exploited
Your name and a link to your website or social media for recognition in our Hall of Fame (optional)
Safe Harbor
All activities which are conducted with good intentions in accordance with this program will be considered authorized conduct. Genius Yield will not initiate any legal action against you for conducting such activities. In case that legal action is taken by a third party against you in relation to the activities conducted under this program, Genius Yield will take commercially reasonable actions to make it known to the third party that your actions were authorized and conducted in compliance with this Program.
General
Genius Yield reserves the right to change or discontinue the terms and conditions of this Reasonable Vulnerability Disclosure Program at any time without notice. Genius Yield also reserves the right of making the final decision on the interpretation of the terms and conditions of this Responsible Vulnerability Disclosure Program.
Last updated