Account [RegistrationRole [Anonymous] Researcher: 1620 Advisories: 1041 Documents: 41 Videos: 237 Date: 19.11.2019 TZ: 13:47

[ Home ] [ Mobile ] [ Vendor ] [ Web-Application ] [ Remote ] [ Local ] [ Websites ] [ Documents ] [ Videos ] [ Search ] [ FAQ ]


Company Name: Mobidea

Program Type: Bug Bounty Program

Official Website: https://www.mobidea.com/bounty-program/

Social Network: https://www.mobidea.com/

Contact: Email Address

PGP KEY: Public PGP Key

Guidelines of the Security Program

Mobidea is a Mobile Programmatic Affiliate Network for Media Buyers and Webmasters. We specialize in User Acquisition focused on CPA (Cost per Acquisition) and CPI (Cost per Install) campaigns, converting your mobile traffic like no other.

Data and Security
Our affiliates trust us with very important information and that's why we've decided to launch our Bug Bounty Program (BBP). We need to have the best security system possible and, through the BBP, we'll reward security researchers if and when they report a VALID security vulnerability.

Responsible Disclosure
Refrain from the following: a) accessing private information (please test on your accounts); b) performing actions that may negatively affect Mobidea users (spam, denial of service); c) trying to break into any of the Mobidea offices or attempting phishing attacks against our employees. You MUST NOT disclose the vulnerability of Mobidea to the public, either on your blog or on your social media page/s, before the problem gets fixed. Before posting it and showing it to the public, beware you need to send us the blog post in order for it to be properly analysed. You must not exploit any security vulnerabilities such as SQL injection. Do not use it to dump our database in an attempt to show us how serious the vulnerability really is. In the event that you want to show us a threat, just send us the following info: a) hostname; b) current database user.

Our Responsibilities
We vow to never make any police investigations against the security researchers who report the security vulnerabilities without the intention to exploit them for their own benefit. We promise that we will reply to your security report within the time period of 24 hours. We will work hard to get the reported bugs or vulnerabilities fixed as quickly as possible.

Eligible Security Bugs & Vulnerabilities (In Scope)

Affiliate Platform Application

Mobidea Andriod Mobile Application

Mobidea iPhone Mobile Application

Security Program Exclusions (Out of Scope)

The following finding types are specifically excluded from the bounty ...

- Social Engineering attacks reports that Require a user interaction
- Reports about Sessions/Cookies (Session Fixation, Missing Secure Flags, HTTPONLY Problems etc)
- Reports About Password Policy weak
- CSRF have low Impact (e.g. csrf in download file)
- Reports about Missing SPF flags
- Report about links should expired after one-time use (e.g. expire password reset link)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- Username / email enumeration via Login Page error message or by Forgot Password error message
- Missing HTTP security headers

- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
- Denial of service attacks against the infrastructure or software
- Content injection issues (Low-Level Content Spoofing)
- Non-validated reports from automated web vulnerability scanners (Acunetix, Vega, etc)
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Self XSS that can not be used to exploit other users or accounts
(exp. includes having an user paste javascript into the browser console)

Note: You will be eligible if you are the first person to disclose an unknown issue to Mobidea.

Validation Process of Security Vulnerabilities & Bugs

1. First the researcher will report the security issue to our security team using Vulnerability Labs Platform
2. We make an initial review into your report and check if it's a duplicate, invalid or out of scope
3. Then we do escalate your vulnerability report for further investigations
4. After a fix/patch of the vulnerability, we'll mark your report as resolved and add you in our hall of fame (Acknowledgements Page - https://www.mobidea.com/security/thanks/)

Rules of Security Program

Qualified Vulnerabilities
All services provided by Mobidea located at mentioned targets are eligible for our commercial bug bounty program. As a rule, we will be interested to receive bugs and vulnerabilities that genuinely pose a threat to the security of Mobidea and its affiliates. Here are some examples of relevant causes for reportings that will receive commercial bounty reward.

- SQL injection
- Server-Side Remote Code Execution (RCE)
- Privilege Escalation
- Local/Remote File Inclusion
- XML External Entity Attacks (XXE)
- Cross Site Scripting (XSS)
- Cross Site Request Forgery
- Open Redirect

Communication Encryption with PGP

Please use the public pgp key of the bug bounty program manufacturer to communicate with secure encryption for exchange of zero-day vulnerabilities or bugs. The usage of the pgp key is no requirement to participate in the official bug bounty program. We recommend to use the pgp encryption (windows, mac or linux) for the exchange of unknown vulnerabilities.

Copyrights, Permission & Trademarks

All pictures, texts, advisories, sourcecodes, ressources, videos and other information of the vulnerability lab website is trademark of the evolution security gmbh company & the specific authors, manufacturer or manager team. To record, public list(feed/auto), modify, public demo usage, copy or edit our material contact the administrators or managers of the program to get a permission.


[Vulnerability Magazine][November] Critical: 0 High: 0 Medium: 0 Low: 0 Best Researcher: [S.AbenMassaoud] Threat: