Reminder - Forbidden Activities
Hello all from Skroutz!
Since we have observed some testing being conducted against our production environments of increasingly destructive nature, we would like to kindly reminder to stick within the program brief's scope and be extra careful, to avoid performing any of the forbidden activities listed in the brief. For your convenience, extra care should be taken to avoid any of the following actions at all costs :
The following activities are strictly prohibited, will not be eligible for any rewards and may even result in researcher accounts/IP addresses/clients getting banned from the production environment altogether:
- Denial of Service & Distributed Denial of Service attacks. Do not attempt to interrupt the production environment's stability/availability. If you discover a relevant issue please cease all testing and report it to the program directly for triage.
- IP/port scanning
- Attacking the load-balancers that serve the applications and API endpoints directly
- Attacking the network and/or hosts of the applications and API endpoints directly - unless possible through an application/API vulnerability
- Excessive aggression on automated scanning tools : always pace your scanning tools to a reasonable amount of concurrent requests against the environment
- Do not create huge amounts of new database entries via automated means (ex. New accounts) - Only create what is necessary for your testing in a manual or semi-automated manner
- Do not attempt to brute force any credentials of any kind
Thank you for your understanding!