Introduction
At Mediahoki, we are committed to ensuring the safety and security of our online platforms. We take user privacy and system security very seriously. As part of our ongoing efforts to improve the security of our systems and services, we invite collaboration from ethical hackers and external security researchers through our Vulnerability Disclosure Program (VDP).
Guidelines
-
Notify us promptly once you discover a genuine or potential security vulnerability.
-
Avoid causing harm: Please refrain from privacy violations, negatively impacting user experience, disrupting production systems, or manipulating or destroying data.
-
Limit your exploitation: Use exploits only as necessary to confirm the existence of a vulnerability. Do not use exploits to exfiltrate data, gain unauthorized access, or pivot to other systems.
-
Do not share vulnerability information: You are prohibited from discussing the vulnerability with third parties or disclosing it before we’ve had the opportunity to resolve the issue.
-
Quality over quantity: Ensure that your vulnerability reports are clear, detailed, well-researched, and reproducible.
-
Sensitive data handling: If you encounter sensitive data, such as personally identifiable information, financial data, or proprietary data, immediately cease testing, notify us, and do not share this data with anyone else.
Scope
Our Vulnerability Disclosure Program covers all publicly accessible IT systems owned by Mediahoki.
Websites:
- *.mediahoki.com
Vulnerabilities
The following types of vulnerabilities qualify for submission under our security program:
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
- SSRF (Server-Side Request Forgery)
- SSTI (Server-Side Template Injection)
- SQL Injection
- XXE (XML External Entity)
- RCE (Remote Code Execution)
- LFI/RFI (Local/Remote File Inclusion)
- Authentication/Authorization flaws
Out of Scope Vulnerabilities
Certain types of issues fall outside the scope of our program, including:
- Security concerns with no immediate exploitability
- Social engineering attacks
- Physical access vulnerabilities
- Denial of Service attacks
- Email Spoofing
- Lack of jailbreak detection or obfuscation
- Reports about missing HTTP security headers (unless demonstrated with a clear PoC)
- Insecure SSL/TLS ciphers or weak signature algorithms (unless proven exploitable)
- Libraries with known vulnerabilities (unless proof of exploitation is provided)
Safe Harbor
As long as you comply with our guidelines, your activities will be considered authorized, and we will not take legal action against you. If a third party attempts to take legal action against you for activities done in compliance with this policy, we will support your defense by demonstrating that you were acting within our rules.
If you're uncertain about whether your research is aligned with our policy, feel free to contact us for clarification before proceeding.
What You Can Expect from Us
This is not a bug bounty program, so there is no monetary reward. However, we appreciate your efforts and will acknowledge your contributions in the following ways:
- A timely response to your report (within 5 business days).
- Coffee or beer at our office (location TBD) to discuss your findings.
- A badge on your community profile for critical discoveries.
Reporting
To report a vulnerability, please email us at: vulnerability@mediahoki.com
Report Language
Please submit your reports in English or German.
Report Template
Please use the following template when submitting your vulnerability report:
# Description
Provide detailed information about the vulnerability.
# Proof of Concept
Include any relevant screenshots or code.
# Steps for Reproduction
Outline the steps to reproduce the issue in a clear, step-by-step manner.
# Supporting Materials
Attach any supporting materials, such as screenshots, logs, etc.
Thank you for helping us improve the security of Mediahoki!