Security Issues Response Policy

Huly does not have a bug bounty program, guaranteed payments for found bugs and do not disclose vulnerability reports.

These policies apply to any Huly software, services, or web-servers. Currently, this includes:

• .huly.app
• .huly.io

If you have discovered a security or privacy vulnerability that affects Huly products and want to tell appropriate developers use official email please.

Please don’t rely on twitter/telegram direct messages, social media, online chat, blog comments, postal mail. Anything that doesn’t get sentvia the right mechanism is at risk of being missed, misclassified, misevaluated, or misfiled.

The correct email contact is: [email protected]

When reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.

The following issues are considered out of scope and will not accepted:

• Messages from security scanners and other automated systems without clear PoC and impact;
• Vulnerability reports based on software/protocol versions not indicating the actual usage/exploitation;
• Reports about the absence of a protection mechanism or non-compliance with recommendations (for example, the absence of a CSRF token) without indicating real negative consequences;
• Framing;
• Social engineering;
• Clickjacking;
• SPF/DKIM/DMARC issues;
• Man-in-the-Middle attacks
• Vulnerabilities in partner services and products that do not directly affect the security of the company’s services.
• Infrastructure vulnerabilities, including:
  • Server configuration issues (e.g. open ports, TLS versions, etc.)
  • Issues related to SSL certificates

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability:

• Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
• Any vulnerability must be reported within 7 days of identifying the vulnerability.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not modify or access data that does not belong to you.
• Do not make any issue information and private correspondence public.

Research guidelines

Report must be clear and detailed and must include a reliable way to reproduce the issue, such as a working exploit. High-quality research report is critical to help us confirm and address an issue more quickly

Complete report includes:

• Detailed description of the issue(s) and the behavior you observed, as well as the behavior that you expected
• Numbered list of steps required to reproduce the issue
• Reliable exploit for the issue you are reporting
• Details of any related issues or variants

In addition, you must meet the following requirements:

• You must be the first party to report the issue directly to Huly Product Security by email.