Reporting Vulnerabilities in the Order Desk Application
Our security team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect Order Desk and its users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and processes to serve our customers better. However, should you find weaknesses in our application, we would appreciate you reporting them to us responsibly!
- Only target the Order Desk application at app.orderdesk.me. Reports regarding any other marketing website Order Desk owns will not be accepted for this bug bounty program.
- Don’t violate the privacy of our users, destroy any data or disrupt our services. Don’t be harmful when your aim is to help us secure our system better.
- Only target your own accounts in the process of investigating any bugs/findings. Don’t target, attempt to access, or otherwise disrupt the accounts of other users without the expressed permission of our team.
- Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- In case you find a severe vulnerability that allows system access, you must not proceed further and instead report your findings directly to us.
- Please compile your findings. We receive many reports daily, so the fewer individual messages we need to go through, the more efficient the Bug Bounty Program will be.
- Order Desk has the final decision about when and how bugs should be addressed.
- All bug reports are confidential and are to remain between the reporter and Order Desk. Disclosing bugs to a third party is forbidden. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
- Threats of any kind will result in the immediate disqualification and banning of the researcher.
- Exploiting or misusing a vulnerability for your own or others’ benefit will automatically disqualify the report.
- We will not accept automated scanner outputs. Order Desk periodically performs automated scans.
How to Report a Bug
- If you choose to, you can provide your IP address in the bug report. This is optional and will be kept private for tracking your testing activities and to review the logs from our side.
- You can report weaknesses to us by email at firstname.lastname@example.org. Please state your findings concisely in your email.
- Describe the issue you have found as explicitly and in as much detail as possible and provide any evidence you might have.
- It is particularly helpful to include the following in your email:
- The type of vulnerability (please see below categories first)
- Steps taken to reproduce the bug
- Any related URLs
- Objects and elements involved (if applicable)
|Cross-Site Request Forgery||With significant security impact|
|Cross-Site Scripting||Self-XSS is out of scope|
|Open Redirects||With significant security impact|
|Cross Origin Resource Sharing||With significant security impact|
|Server Side Request Forgery|
|Local File Inclusion|
|Remote File Inclusion|
|Leakage of Sensitive Data|
|Authentication Bypass, Unauthorized Access|
|Remote Code Execution|