Vulnerability Disclosure - Program

Introduction

The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the Rocksurance Solutions security team.

If you believe you've discovered a security vulnerability on or within the MyNameFlow application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers not make those public until we have resolved the issue.

In return, we will work to review reports and respond in a timely manner.

Safe Harbor

Rocksurance Solutions will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you (1) comply with the policies set forth herein; (2) only disclose the vulnerability to Rocksurance Solutions until we have resolved the issue; (3) do not compromise the safety or privacy of our users; and (4) do not destroy any sensitive data you might have gathered from MyNameFlow as part of your research once issues are resolved.

If you have any questions, please contact us at info@mynameflow.com.

Thank you for your help.

Vulnerability Program Scope & Rules

In Scope

We are primarily interested in hearing about the following vulnerability categories:

  • Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.

  • Authentication or Session Management related issues

  • Remote Code Execution

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories.

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

  • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others

  • User enumeration

  • Issues only present in old browsers/old plugins/end-of-life software browsers

  • Phishing or social engineering of Rocksurance Solutions employees, users or clients

  • Systems or issues that relate to Third-Party technology used by Rocksurance Solutions.

  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)

  • Any attack or vulnerability that hinges on a user’s computer first being compromised

Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof-of-concept.

Excessive exfiltration or downloading of MyNameFlow data, or demanding payment in return for destruction of MyNameFlow data, will be considered outside of the scope of this program, and Rocksurance Solutions will reserve all of its rights, remedies, and actions to protect itself and its users.

Vulnerability Rewards

Our public program currently does not provide any monetary reward beyond our thanks and the appreciation of our users. If you are interested in helping us in a more dedicated manner as a security researcher in our Private Program, please contact info@mynameflow.com with your request and justification.

At Rocksurance Solutions’s sole discretion, we may make exceptions to this policy for exceptional contributions.

Reporting a Security Vulnerability

Please use the form below to report security vulnerabilities to Rocksurance Solutions.