Naspers values the input of the security community to create a more secure Internet and welcomes the opportunity to collaborate with community members who share this common goal.
This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Naspers's public online presence. Please review the program contents before submitting your findings.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Out of scope
Testing is only authorized on the target listed as In-Scope. Any domain/property of Naspers not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
https://www.naspers.com is our corporate website. Researchers are invited to test all aspects of this application by following the guidelines detailed in this program.
Please note: no credentials will be provided for testing
Please do not use automated vulnerability scanners on this program. Custom scripts and fuzzing tools are permitted, but if using them, please keep your traffic to six requests per second or less. Additionally, it’s worth noting that the client already runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second.
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Injection (XXE) with significant impact
- Access Control Issues
- Authentication Bypass Issues
- Authorization Flaws
- Privilege Escalation
- Directory Traversal Issues
- Sensitive Information Disclosure
- Data Exposure
- Business Logic Vulnerabilities
Out of Scope:
The following submission types will not be rewarded (as per Bugcrowd's Vulnerability Rating Taxonomy):
- Denial of service (DoS) attacks
- Findings as reported by automated tools without additional analysis as to how and what is vulnerable
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Spam reports
- Phishing and social engineering reports
- Targeted attacks against social media or third party services that Naspers use (LinkedIn, Twitter, etc)
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via firstname.lastname@example.org before going any further.