Overview

Naturaw is committed to ensuring customer data and personal information remain secure and protected throughout their interactions with our services. To that end Naturaw is running a best-in-class Responsible Vulnerability Disclosure Program, in cooperation with Isodos, aiming to enable our community of technically-minded individuals and security researchers to provide information on potentially identified security vulnerabilities on any of our main services.

To responsibly report such weaknesses, please follow these general guidelines:

• Please use the vulnerability disclosure form at the bottom of this page for all relevant submissions
• Report identified vulnerabilities promptly for quick assessment and remediation by our security experts, expediting your reward process
• To protect our customers and partners, keep identified vulnerabilities confidential:
  • Submissions should be confidential and no public disclosure or other publication should be made
  • We reserve the right to withhold rewards or initiate legal action if these conditions are not met
• Destroy any personal data or other confidential information that you may encounter as a result of an identified vulnerability, immediately after submission, to enforce user privacy.
• Make sure that any vulnerability research is performed legally, refraining from unauthorized access to computer systems, user accounts, and sensitive information.
• Malware, direct customer contact, spam, fraudulent emails or electronic messages are strictly forbidden under this program’s rules

Scope

You are asked to report on all identified security vulnerabilities, unless they fall under one or more of the categories explained below, which are considered out-of-scope and will not be accepted as legitimate vulnerability submissions by the Naturaw cybersecurity team. Vulnerability types we do not care about include the following:

• HTTP security headers
• Browser cookie security flags
• SSL/TLS & certificate related issues (ex. ciphers, certificate strength etc.)
• Password policy (ex. password complexity, expiration, password reset timeout etc.)
• Session expiration time interval
• Self-XSS
• Error messages – Unless they lead to sensitive data exposure
• Clickjacking issues
• Account lockout policies
• Security control recommendations (firewalls, WAFs etc.)
• Vulnerabilities only relevant to users of legacy/obsolete/out-of-date browsers
• Email server issues – Unless directly exploitable through the web application/API
• Email/Username enumeration (other enumerations are in scope)
• Out-of-date vulnerable third-party libraries (Unless you can demonstrate exploitability of the vulnerability on the web application)

Forbidden activities

The following activities are strictly prohibited, will not be eligible for any rewards and may even result in accounts/IP addresses/clients getting banned from our services altogether:

• Phishing/Social Engineering attacks
• Malware & Malicious software usage
• Denial of Service & Distributed Denial of Service attacks
• IP/port scanning
• Attacking the load-balancers that serve the applications and API endpoints directly
• Attacking the network and/or hosts of the applications and API endpoints directly – unless possible through an application/API vulnerability
• Post-exploitation activities (lateral movement, backdoors, rootkits, scheduled tasks etc.)
• Excessive aggression on automated scanning tools:
  • Always pace your scanning tools to a reasonable amount of concurrent requests against the environment
  • Do not create huge amounts of new database entries via automated means (ex. New accounts) – Only create what is necessary for your testing
  • Do not attempt to bruteforce credentials

Rewards

Rewards are awarded by Naturaw in form of Naturaw Points, after successful validation of your submission and confirmation by the Isodos cybersecurity team, in accordance to our bounty terms & conditions described here: https://naturaw.ca/bounty-terms

Submissions will be acknowledged within 24 hours by our team, at which point we will forward the request to Isodos who will start working to validate your submission. This process will usually take no more than 3 business days but is subject to security team availability and other priorities.

For any further questions about the program and its guidelines please reach out to Isodos Technology Partners at www.isodos.ca

Responsible Vulnerability Disclosure Form