InMobi.com 쿠키

이 사이트는 페이지의 활용도와 신뢰도를 향상시키고 최고의 유저 경험을 제공하기 위해 쿠키를 활용합니다. 쿠키 페이지에는 쿠키의 정의, 종류, 관리 및 제거 방법이 설명 되어 있습니다. 설정을 변경하지 않고 웹사이트를 지속적으로 사용할 경우, 쿠키 활용을 동의한 것으로 간주됩니다.

Security

Security 

Security and privacy of our customers are pivot principles as we design products at InMobi . Our developers strive to write secure code and we take utmost care to ensure that our digital assets are protected. We realize that there is no silver bullet when it comes to security and there are times when security bugs sneak through despite our best efforts. We welcome working with security community at large to resolve any security issues promptly. 

 

Reporting a security issue 

We would like to foster a culture of collaboration to achieve better security and make the internet a better place. If you believe that you have found a security issue in our product or service, that can adversely impact InMobi Group’s digital assets or have a suggestion to improve our security, please do contact our security team at secops@ inmobi.comOur security team will get in touch and will work with you to understand your research, quantify as per CVSS 3.0 and recognise as per our awards program 

 

Our Expectation 

 

  • A detailed description of the issue 

  • Steps to reproduce the issue and demonstrate exploitability 

  • Any additional references 

  • Comply in spirit of responsible disclosure guidelines (see below) 

  • Collaborative spirit 

  • No malicious activities (**) 

 

Our promise to you 
 

  • Prompt acknowledgment of the report (within 2 business days) 

  • Transparency throughout the process 

  • An environment conducive to collaboration 

  • Recognition as per InMobi’s Bug Bounty program 

 

Services in scope 

1) *.inmobi.com 

2) *.glance.com 

3) *.roposo.com 

Exclusions :  All Inmobi group employees, contract staff and its affiliates 

 

 

Rewards Philosophy: 

Rewards are proportional to the severity of vulnerability, asset value & overall impact. This evaluation is done by InMobi’s security team with keeping CVSS 3.0 as a benchmark while doing overall quantification. There could be instances where cash rewards may vary for same type of vulnerability which could be due to differing asset values & overall impact.  In exceptional cases, where vulnerability is unique & complex; security researcher may be paid more than the Rewards Grid (mentioned below). InMobi reserves the discretion of rewards program and reserves right to change it without any public notice. Vulnerabilities in scope of bug bounty program are as follows: 

Critical Vulnerabilities 

  • Remote Code Execution (RCE) - able to execute arbitrary commands on a remote device 

  • SQL Injection - able to read Personally Identifiable Information (PII) or other sensitive data / full read/write access to a database 

  • Server-Side Request Forgery (SSRF) - able to pivot to internal application and/or access credentials (not blind) 

  • Information Disclosure - mass PII leaks including data such as names, phone numbers and addresses 

  • LFI/RFILocal File Inclusion/Remote File Inclusion 

 

High Vulnerabilities 

  • Stored Cross-Site Scripting (XSS) - stored XSS with access to non HttpOnly cookies 

  • Information Disclosure - leaked credentials (pertaining to InMobi Group’s digital assets) 

  • Subdomain Takeover - on a domain that sees heavy traffic or would be a convincing candidate for a phishing attack 

  • Cross-Site Request Forgery (CSRF) - leading to account takeover 

  • Account Takeover (ATO) - with no or minimal user interaction 

  • Insecure Direct Object Reference (IDOR) - read or write access to sensitive data or important fields that you do not have permission to 

  • SQL Injection - able to perform queries with a limited access user 

  • IDOR - write access to modify objects that you do not have permission to  

 

Medium 

  • CSRF - able to modify important information (authenticated)  

  • ATO - required user interaction 

  • XSS - reflected/DOM XSS with access to cookies 

  • XXE- XML entity attack 

 

Low 

  • Directory listings  

  • Session management flaws 

  • XSS - POST based XSS (with CSRF bypass) 

  • Lack of HTTPS on dynamic pages (judged on a case-by-case basis) 

  • Server information page (no credentials) 

  • Subdomain Takeover - on an unused subdomain  

 

Rewards Grid: 

Category as per CVSS 3.0 

Reward 

Certificate of appreciation 

Hall of fame 

Critical  

$300-$500 

Yes 

Yes 

High 

$ 200-300 

Yes 

Yes 

Medium 

NA 

Yes 

Yes 

Low 

NA 

Yes 

NA 

 

 

 

Out of scope vulnerabilities: 

Below category of vulnerabilities which are considered are excluded from the rewards. 1)General  

  • IDOR references for objects that you have permission to  

  • Duplicate submissions that are being remediated  

  • Known issues  

  • Rate limiting (Unless which impacts severe threat to data, business loss)  

  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)  

  • Open redirects  

  • Clickjacking and issues only exploitable through clickjacking  

  • Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability  

2)System related  

  • Patches released within the last 30 days  

  • Networking issues or industry standards  

  • Password complexity  

  • Email related: SPF or DMARC records, Gmail "+" and "." acceptance, Email bombs, Unsubscribing from marketing emails  

  • Information Leakage: Descriptive error messages (e.g. Stack Traces, application or server errors), HTTP 404 codes/pages or other HTTP non-200 codes/pages, Fingerprinting / banner disclosure on common/public services, Disclosure of known public files or directories, (e.g. robots.txt), Cacheable SSL pages  

3)CSRF  

  • CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)  

  • Logout Cross-Site Request Forgery (logout CSRF)  

  • Weak CSRF in the APIs  

4)Login/Session related  

  • Forgot Password page brute force and account lockout not enforced  

  • Lack of Captcha  

  • Sessions not expiring after email change  

  • Presence of application or web browser 'autocomplete' or 'save password' functionality  

  • Session Timeouts  

 

 

Responsible Disclosure 

At InMobi we believe that with great knowledge comes great responsibility. We expect that you will let us know as soon as possible upon discovery of a potential security issue, give us reasonable lead time to respond to your report before making any information public and that you will make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. You will only interact with accounts you own or with the explicit permission of the account holder. We will reciprocate the gesture by working with you to mitigate the issue to the satisfaction of both parties.We would prefer that interested researchers coordinate their efforts with our securityteamso that we can avoid any untoward incidents that could affect confidentiality, integrity or availability of InMobi Group’s digital assets. 

 

**Appendix A 

We classify malicious activities as follows 

  • Performing actions that may negatively affect interests of InMobi Group and/or its users (e.g. Spam, Brute Force, Denial of Service…) 

  • Social engineering (including phishing) of InMobi staff or contractors 

  • Conducting any kind of physical or electronic attack on InMobi personnel, property or data centres 

  • Automated scanning 

  • Deliberate attempts to harm InMobi Group digital assets  

  • Introduction of backdoors/trojans/malware in InMobi Group digital assets 

  • Attempts to breach/copy/store/use/share/sell confidential data 

 

All attempts to cause harm to InMobi Group digital assets and data and that do not follow responsible disclosure will be pursued legally to the full extent permitted by law. 

 

Hall of Fame  

 

Coming soon 

위로 가기