Bug Bounty Program

Bug Bounty Program

Reporting Vulnerabilities in the Order Desk Application

Our security team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect Order Desk and its users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and processes to serve our customers better. However, should you find weaknesses in our application, we would appreciate you reporting them to us responsibly!

 

Program Rules

  • Only target the Order Desk application at app.orderdesk.me. Reports regarding any other marketing website Order Desk owns will not be accepted for this bug bounty program.
  • Don’t violate the privacy of our users, destroy any data or disrupt our services. Don’t be harmful when your aim is to help us secure our system better.
  • Only target your own accounts in the process of investigating any bugs/findings. Don’t target, attempt to access, or otherwise disrupt the accounts of other users without the expressed permission of our team.
  • Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • In case you find a severe vulnerability that allows system access, you must not proceed further and instead report your findings directly to us.
  • Please compile your findings. We receive many reports daily, so the fewer individual messages we need to go through, the more efficient the Bug Bounty Program will be.
  • Order Desk has the final decision about when and how bugs should be addressed.
  • All bug reports are confidential and are to remain between the reporter and Order Desk. Disclosing bugs to a third party is forbidden. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
  • Threats of any kind will result in the immediate disqualification and banning of the researcher.
  • Exploiting or misusing a vulnerability for your own or others’ benefit will automatically disqualify the report.
  • We will not accept automated scanner outputs. Order Desk periodically performs automated scans.
  • Vulnerabilities that require a proxy for communication between Order Desk services and clients are not considered for this program.

 

How to Report a Bug

  • If you choose to, you can provide your IP address in the bug report. This is optional and will be kept private for tracking your testing activities and to review the logs from our side.
  • You can report weaknesses to us by email at security@orderdesk.com. Please state your findings concisely in your email.
  • Describe the issue you have found as explicitly and in as much detail as possible and provide any evidence you might have.
  • It is particularly helpful to include the following in your email:
    • The type of vulnerability (please see below categories first)
    • Steps taken to reproduce the bug
    • Any related URLs
    • Objects and elements involved (if applicable)
    • Screenshots

Vulnerability Categories

NameNotes
Cross-Site Request ForgeryWith significant security impact
Cross-Site ScriptingSelf-XSS is out of scope
Open RedirectsWith significant security impact
Cross Origin Resource SharingWith significant security impact
SQL Injections 
Server Side Request Forgery 
Privilege Escalation 
Encryption Weaknesses 
Local File Inclusion 
Remote File Inclusion 
Leakage of Sensitive Data 
Authentication Bypass, Unauthorized Access 
Directory Traversal 
Payment Manipulation 
Remote Code Execution