Vulnerability Program

Graaf is constantly striving to improve its service and security. We have a program in place where security vulnerabilities can be reported.

Exclusions

The following are not eligible:

DDOS, spam, phishing, social engineering

Vulnerabilities which are either only hypothetical or  beyond what can be reasonably patched and fixed by Graaf.

Vulnerabilities that have already been made known to Graaf

Vulnerabilities using outdated or un-patched software or browsers

Vulnerabilities pertaining to WordPress itself

General vulnerabilities that have no been careful evaluated before making Graaf aware of them, including by general botting software

CSP Headers, X-Frame-Options, Content Sniffing, DNSEC, dmarc etc.

Third party application or site vulnerabilities (with exception of those that directly lead to a vulnerability with Graaf)

Clickjacking on pages without sensitive actions

User flag changes that don’t result in sensitive data or actions breaches

Any changes to flags or credentials on a local or external system that do not bypass or fetch sensitive data or allow additional actions from Graaf’s API (ex. give the appearance of a bypass in your own local browser but not gain any additional access, privilege’s, actions or data)

Non-severe or sensitive information pertaining to our information website www.graaf.one

Terms

The vulnerability must be considered a serious security threat.

Graaf management has discretion as to when/how to give compensation.

No disruption to our services including connection or deletion/permanent manipulation of data.

Do not target or violate the privacy of other user accounts, only use your own account.

The primary vulnerability should be on the application app.graaf.one and not the information site www.graaf.one, with the exception of extreme severity.

You must only disclose the security vulnerability to Graaf in private channels only, namely support email.

Act in good faith.

Format

Fully detailed information on how to replicate the attack and what it can accomplish

send to info@graaf.one

Compensation

For eligible vulnerabilities we give out a minimum of $10; with higher compensation considered for the seriousness and impact of the vulnerability