Summary

Mobrand is a CPI mediation platform that promises to revolutionize the way app developers and CPI networks do business.
Mobrand mediates thousands of CPI offers coming from several CPI networks. This means that, by integrating with Mobrand either via SDK or via our Programmatic API, you have the opportunity to run virtually every CPI offer available in the market.

Data and Security

Our affiliates trust us with very important information and that's why we've decided to launch our Bug Bounty Program (BBP). We need to have the best security system possible and, through the BBP, we'll reward security researchers if and when they report a VALID security vulnerability.

Targets

In scope

api.mobrand.net is used for processing the Requests that made using your account
t.mobrand.net is used for Tracking purposes for the applications

Responsible disclosure

  • Refrain from the following: a) accessing private information (please test on your accounts); b) performing actions that may negatively affect Mobrand users (spam, denial of service); c) trying to break into any of the Mobrand offices or attempting phishing attacks against our employees.
  • You MUST NOT disclose the vulnerability of Mobrand to the public, either on your blog or on your social media page/s, before the problem gets fixed. Before posting it and showing it to the public, beware you need to send us the blog post in order for it to be properly analysed.
  • You must not exploit any security vulnerabilities such as SQL injection. Do not use it to dump our database in an attempt to show us how serious the vulnerability really is. In the event that you want to show us a threat, just send us the following info: a) hostname; b) current database user.

Our responsibilities

  • We vow to never make any police investigations against the security researchers who report the security vulnerabilities without the intention to exploit them for their own benefit.
  • We promise that we will reply to your security report within the time period of 24 hours.
  • We will work hard to get the reported bug fixed as quickly as possible.

Account Creation

You MUST use the @bugcrowdninja.com email alias when signing up for Mobrand accounts that will be used to participate in this bounty.
For example, if your Bugcrowd username is researcher, you must use researcher@bugcrowdninja.com If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as researcher+randomstring@bugcrowdninja.com

Accounts not following these rules will be suspended without warning.

Qualified vulnerabilities

All services provided by Mobrand located at ** Mobrand.com** are eligible for our bug bounty program.
As a rule, we will be interested to receive bugs that genuinely pose a threat to the security of Mobrand and its affiliates. Here are some examples of relevant causes for reporting that will receive bounty reward .

  • SQL injection
  • Server-side Remote Code Execution (RCE)
  • Privilege escalation
  • Local/Remote file Inclusion
  • XML External Entity Attacks (XXE)
  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Open Redirect

The following finding types are specifically excluded from the bounty:

- Rate-limit Attacks
- Social Engineering attacks reports that Require a user interaction
- Reports about Sessions/Cookies (Session Fixation, Missing Secure Flags, HTTPONLY Problems etc)
- Reports About Password Policy weak
- CSRF have low Impact (e.g. csrf in download file)
- Reports about Missing SPF flags
- Report about links should expired after one-time use (e.g. expire password reset link)

- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers
+ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
+ Denial of Service Attacks
+ Content injection issues
+ Non-validated reports from automated web vulnerability scanners (Acunetix, Vega, etc)
+ SSL/TLS scan reports (this means output from sites such as SSL Labs)
+ Open ports without an accompanying proof-of-concept demonstrating vulnerability
+ Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console)

  • You will be eligible for a Kudos only if you are the first person to disclose an unknown issue to Mobrand.

  • If you have any questions about our bug bounty program send us an email to security@mobrand.com

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.