IPSX Security

Vulnerability Reporting Program

We recognizes the importance of security researchers in maintaining our IPSX community safe. IPSX encourage responsible disclosure of security vulnerabilities.

Responsible disclosure includes:

  1. Respecting the privacy - Make a good faith effort not to access, leak or destroy IPSX user data.
  2. Doing no harm - Act for the common good through the process of reporting of all found.
  3. Being patient - Provide as reasonable amount of time to clarify and fix the discovered issues.

IPSX will not take unreasonable punitive actions against security researchers who point out a problem provided they do their best to follow the above guidelines. We reserve the right to publish security reports and/or company updates containing the vulnerabilities reported by the security researchers.

Rewards Process

IPSX may offer rewards to the security researchers for reporting bugs that help us to improve our security. Your submission containing the reported vulnerabilities will be reviewed and validated by IPSX Security team. Providing clear and concise steps to reproduce the finding, will help to expedite the response. However, we reserve the right to evaluate the reported vulnerabilities, their relevance and risk level. The decision on issue reward and related amount will be taken after the evaluation is made.

We cannot offer rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. Any tax implications fall under your fully responsibility, depending on your country of residency and citizenship. Moreover, further restrictions may apply, also depending upon your local law.

We can cancel the IPSX Security Vulnerability Reporting Program at any time and the decision as to whether or not to offer a reward has to be entirely at our discretion.

We are especially interested and willing to reward for following type of vulnerabilities:

  • Stored and reflected XSS
  • RCE / command injections
  • SQL injections
  • XML injections / XXE
  • Serious data leakage vulnerabilities
  • CSRF or broken session management with exploitable PoC
  • SSRF
  • Significant Security Misconfiguration
  • Authentication and authorization flaws

Out of Scope:

  • Error messages, stack traces
  • Lack of SPF records
  • Disclosure of used software versions
  • Misconfigured or lack of certain HTTP headers
  • Vulnerabilities that are not exploitable in modern browsers
  • Lack of Secure and HttpOnly flags in cookies, that are not considered sensitive
  • Username or email enumeration
  • Spam or social engineering techniques
  • Denial-of-service attacks

Reporting security issues

All vulnerabilities affecting the IPSX Services (e.g. https://ip.sx, https://app.ip.sx), should be reported via email to support@ip.sx.

Old hall of fame

IPSX credits the following people who have helped with the security so far:

  1. Daniel “Hertz” Bugarin
  2. Andrei Avadanei (Advisor)
  3. George Bunea (IPSX team member)
  4. Csaba Achim (IPSX team member)