Responsible Disclosure Policy

At ThreatSims, we understand the vital role of the cybersecurity community in safeguarding customer data and enhancing the security of our solutions and applications. Our Responsible Disclosure Program invites individuals, developers, and security experts (referred to as "Researchers") to discover and report security vulnerabilities in ThreatSims products. 

We encourage Researchers to voluntarily report any vulnerabilities they uncover in connection with ThreatSims' solutions. By submitting a vulnerability report to ThreatSims, the Finder acknowledges that they have read and agreed to the terms and conditions outlined on this page ("Terms and Conditions").

Let's collaborate to create a more secure future, one bug report at a time!

Terms and Conditions

Comply with the terms in this Responsible Disclosure Policy:

1. Do not execute or attempt to execute any "Denial of Service" attack.
2. Do not run automated scans without first checking with ThreatSims.
3. Do not test in a manner that would disrupt the operation of ThreatSims' solutions.
4. Do not test in a manner that would result in sending unsolicited or unauthorized junk mail, spam, or other forms of unsolicited messages.
5. Do not post, transmit, upload, link to, send, or store any malicious software.
6. Do not test equipment or the physical security of ThreatSims' facilities.
7. Do not use social engineering techniques.
8. Do not test third-party applications, websites, or services that integrate with or link to ThreatSims' properties.
9. Do not publicly disclose any vulnerability until 30 days after it has been resolved by ThreatSims and without prior written consent. Additionally, avoid including any sensitive data in the disclosed vulnerability.
10. Please make every effort to respect the privacy of our users and employees.
11. Remove all data and sensitive information acquired from the analysis after submitting the report.

Response Times

ThreatSims will make the best effort to meet the following response times for researchers participating in our program:

• Time to first response (from report submission): 2 business days
• Time to triage (from report submission): 3 business days

We will make sure to keep you updated on our progress throughout the entire process.

Accepted Vulnerabilities

Accepted in-scope vulnerabilities include, but are not limited to:

• Injection vulnerabilities
• Broken Authentication and Session Management
• Cross Site Scripting (XSS)
• Remote Code Execution
• Insecure Direct Object Reference
• Sensitive Data Exposure
• Security Misconfiguration
• Missing Function Level Access Control
• Using Components with Known Vulnerabilities
• Directory/Path transversal
• Exposed credentials
• Subdomain takeover vulnerabilities
• Business logic vulnerabilities

Out Of Scope Vulnerabilities

The Responsible Disclosure Program does not cover the following vulnerabilities. Please DO NOT report these out-of-scope vulnerabilities, including but not limited to:

• Social Engineering attacks
• Account enumeration using brute-force attacks
• Weak password policies and password complexity requirements
• Missing http security headers which do not lead to a vulnerability
• Reports from automated tools or scans
• Broken Link Hijacking
• Presence of autocomplete attribute on web forms
• Missing cookie flags on non-sensitive cookies
• Reports of SSL/TLS issues, best practices or insecure ciphers
• User email enumeration
• Self-exploitation attacks
• Test versions of applications
• No / weak captcha/captcha bypass
• Mail configuration issues including SPF, DKIM, DMARC settings
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on any endpoint
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Vulnerabilities only affecting users of outdated or unpatched browsers
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Non-Administrative credentials obtained by malware, data leaks or shared on the dark web

In-scope Assets

The following domains are in scope for responsible disclosure:

• threatsims.com
• *.threatsims.com

Acknowledgments

We do not offer a bounty or cash reward program for security disclosures. However, we are thankful to security researchers and will publicly acknowledge their efforts by adding their names to our Hall of Fame page. Reports with critical and high severity that have been resolved may receive an award, but this decision is solely made by ThreatSims.

Legal

By submitting a report to ThreatSims, you are acknowledging that you have read and agreed to these terms. You are also confirming to ThreatSims that you are the sole creator of the submission. By submitting, you grant ThreatSims permission to use, reproduce, copy, modify, and otherwise handle your submission as ThreatSims deems appropriate.

Please submit your findings at : security@threatsims.com