Graaf is constantly striving to improve its service and security. We have a program in place where security vulnerabilities can be reported.
The following are not eligible:
DDOS, spam, phishing, social engineering
Vulnerabilities which are either only hypothetical or beyond what can be reasonably patched and fixed by Graaf.
Vulnerabilities that have already been made known to Graaf
Vulnerabilities using outdated or un-patched software or browsers
Vulnerabilities pertaining to WordPress itself
General vulnerabilities that have no been careful evaluated before making Graaf aware of them, including by general botting software
CSP Headers, X-Frame-Options, Content Sniffing, DNSEC, dmarc etc.
Third party application or site vulnerabilities (with exception of those that directly lead to a vulnerability with Graaf)
Clickjacking on pages without sensitive actions
User flag changes that don’t result in sensitive data or actions breaches
Any changes to flags or credentials on a local or external system that do not bypass or fetch sensitive data or allow additional actions from Graaf’s API (ex. give the appearance of a bypass in your own local browser but not gain any additional access, privilege’s, actions or data)
Non-severe or sensitive information pertaining to our information website www.graaf.one
The vulnerability must be considered a serious security threat.
Graaf management has discretion as to when/how to give compensation.
No disruption to our services including connection or deletion/permanent manipulation of data.
Do not target or violate the privacy of other user accounts, only use your own account.
The primary vulnerability should be on the application app.graaf.one and not the information site www.graaf.one, with the exception of extreme severity.
You must only disclose the security vulnerability to Graaf in private channels only, namely support email.
Act in good faith.
Fully detailed information on how to replicate the attack and what it can accomplish
send to email@example.com
For eligible vulnerabilities we give out a minimum of $10; with higher compensation considered for the seriousness and impact of the vulnerability