INMAGINE Security Disclosure Policy

We take the security of our systems seriously, and we value the security of our users, contributors, clients, and customers. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. It is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

Guidelines

Under this policy, “research” means activities in which you:
  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports and/or CVSS score of less than 6.
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you've discovered confidential between yourself and INMAGINE until we've had [90] days to resolve the issue.

Confidentiality

Any information you find or collect about INMAGINE or any INMAGINE user through the security bugs must be kept confidential and only used in connection to us. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Accessing the private information of other users, and performing actions that may negatively affect INMAGINE users are strictly forbidden. You may not use, disclose or distribute any such confidential Information, including, but not limited to, any information regarding your submission and information you obtain when researching the INMAGINE sites, without INMAGINE prior written consent.


Test methods

In the interest of the safety of our users and staff, we'd like to ask you to refrain from:
  • Spamming.
  • Social engineering (including phishing and vishing) of INMAGINE staff, contractors, contributors or clients.
  • Any physical attempts against INMAGINE property or data centers.
  • Cryptomining.
  • Accessing, or attempting to access, data or information that does not belong to you.
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
  • Causing, or attempting to cause, a Denial of Service (DoS/DDoS) condition.

If you follow these guidelines and immediately report to us, we commit to:
  • We will not initiate legal action against security researchers attempting to find vulnerabilities within our systems who adhere to this policy.

Reporting a vulnerability

We believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you’ve found a security vulnerability in our system or platform please immediately send it to us by emailing patrick@123rf.com.

Please include the following details with your report:
  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle
  • Be in English.

Eligibility

We accept reports based on severity not less than 6 per CVSS 4. The final severity may be adjusted to reflect the impact of the reported vulnerability on our domains.

More on CVSS 4 scoring: https://www.first.org/cvss/calculator/4.0


In scope

*.123rf.com


Out of Scope

When reporting vulnerabilities, you shall consider the attack scenario/exploitability, and security impact of the bug. The following issues are considered out of scope from this Program, and we will not accept any of the following types of attacks:
  • Denial-of-service attacks
  • Spam, social engineering or email phishing techniques (e.g. phishing, vishing, smishing)
  • Email spoofing
  • Any security vulnerability on the client side (e.g. browsers, plugins)
  • Software version disclosure
  • Reflected file download
  • Any physical access issues
  • Publicly accessible pages
  • Any weakness or disclosure of information which does not lead to a direct vulnerability
  • Email or account enumeration
  • CSV command execution and CSP weaknesses
  • Any vulnerabilities in third-party apps or websites are generally not within the scope of our Program.

Changes to Terms

Inmagine reserves the right to modify or cancel the program and its policies at any time, without prior notice.

Accordingly, Inmagine may amend these Terms and/or its policies at any time by posting a revised version on Inmagine's website. You accept the modified Terms if you continue to participate in the program after changes are made to the Terms.