Summary

Mobidea is a Mobile Programmatic Affiliate Network for Media Buyers and Webmasters. We specialize in User Acquisition focused on CPA (Cost per Acquisition) and CPI (Cost per Install) campaigns, converting your mobile traffic like no other.

Data and Security

Our affiliates trust us with very important information and that's why we've decided to launch our Bug Bounty Program (BBP). We need to have the best security system possible and, through the BBP, we'll reward security researchers if and when they report a VALID security vulnerability.

Targets

In scope

Responsible disclosure

  • Refrain from the following: a) accessing private information (please test on your accounts); b) performing actions that may negatively affect Mobidea users (spam, denial of service); c) trying to break into any of the Mobidea offices or attempting phishing attacks against our employees.
  • You MUST NOT disclose the vulnerability of Mobidea to the public, either on your blog or on your social media page/s, before the problem gets fixed. Before posting it and showing it to the public, beware you need to send us the blog post in order for it to be properly analysed.
  • You must not exploit any security vulnerabilities such as SQL injection. Do not use it to dump our database in an attempt to show us how serious the vulnerability really is. In the event that you want to show us a threat, just send us the following info: a) hostname; b) current database user.

Our responsibilities

  • We vow to never make any police investigations against the security researchers who report the security vulnerabilities without the intention to exploit them for their own benefit.
  • We promise that we will reply to your security report within the time period of 24 hours.
  • We will work hard to get the reported bug fixed as quickly as possible.

Account Creation

You MUST use the @bugcrowdninja.com email alias when signing up for Mobidea accounts that will be used to participate in this bounty.
For example, if your Bugcrowd username is researcher, you must use researcher@bugcrowdninja.com If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as researcher+randomstring@bugcrowdninja.com

Accounts not following these rules will be suspended without warning.

Qualified vulnerabilities

All services provided by Mobidea located at affiliates.mobidea.com are eligible for our bug bounty program. As a rule, we will be interested to receive bugs that genuinely pose a threat to the security of Mobidea and its affiliates. Here are some examples of relevant causes for reporting that will receive bounty reward .

  • SQL injection
  • Server-side Remote Code Execution (RCE)
  • Privilege escalation
  • Local/Remote file Inclusion
  • XML External Entity Attacks (XXE)
  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Open Redirect
  • Rate-limit Attacks

The following finding types are specifically excluded from the bounty:

- Social Engineering attacks reports that Require a user interaction
- Reports about Sessions/Cookies (Session Fixation, Missing Secure Flags, HTTPONLY Problems etc)
- Reports About Password Policy weak
- CSRF have low Impact (e.g. csrf in download file)
- Reports about Missing SPF flags
- Report about links should expired after one-time use (e.g. expire password reset link)

- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers
+ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
+ Denial of Service Attacks
+ Content injection issues
+ Non-validated reports from automated web vulnerability scanners (Acunetix, Vega, etc)
+ SSL/TLS scan reports (this means output from sites such as SSL Labs)
+ Open ports without an accompanying proof-of-concept demonstrating vulnerability
+ Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console)

  • You will be eligible for a Kudos only if you are the first person to disclose an unknown issue to Mobidea.

  • If you have any questions about our bug bounty program send us an email to security@mobidea.com

Out of Scope bugs for Android apps

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.