Vulnerability Reporting Policy
At Homifax, safeguarding ourcustomers’ and members’ data is of utmost importance. We deeply appreciate thediligent efforts of ethical security researchers who investigatevulnerabilities. We actively engage with the information security community toaddress and resolve any security issues reported to us. If you possessinformation related to potential security vulnerabilities in Homifax products orservices, we encourage you to reach out to us.
Bug Bounties
At Homifax, we do not operate a bugbounty program or provide rewards for security disclosures. Nevertheless, wehighly value the dedication of security researchers who invest their time ininvestigating and reporting security vulnerabilities to us in alignment withour policy.
Scope
This program is not a means to submit complaints about Homifax,or its subsidiaries’ (hereafter referred to as “Homifax”) services or products,or for inquiries regarding the availability of company web sites or onlineservices.
The following types of vulnerabilities are considered out of thescope for the purposes of this program:
- Volumetric vulnerabilities (e.g., Denial of Service or Distributed DoS);
- Reports of non-exploitable vulnerabilities and violation of “best practices” (e.g., missing security headers);
- Transport Layer Security (TLS) configuration weaknesses (e.g., support for “weak” cipher suites);
- Fingerprinting/banner disclosure on common/public services;
- Self-cross-site scripting (XSS);
- Internal IP disclosure;
- Cross-site request forgery (CSRF);
- Un-exploitable HTTP Methods (e.g., OPTIONS or HEAD);
- Error-messages with non-sensitive data; and
- Lack of secure/HTTP-only flags on non-session cookies.
Homifax may update this policy at any time, including by makingchanges to list of out-of-scope vulnerabilities.
Reporting a Vulnerability
If you’ve identified an in-scopevulnerability, please email securityreporting@homifax.com. Includethe following details:
- Detailed vulnerability description
- Full URLs related to the vulnerability
- Proof of Concept (POC) or instructions for reproducing the vulnerability
- Involved entry fields or filters
- Risk assessment
- Contact information for follow-up questions
While offering a solution is encouraged,it’s not mandatory. However, a lack of detailed explanation may cause delays inour response and subsequent actions. Thank you for your vigilance in keepingour systems secure.
Guidance
This policy prohibits the performance of the followingactivities:
- Hacking, penetration testing, or other attempts to gain unauthorized access to Homifax software or systems;
- Active vulnerability scanning or testing;
- Disclosure or use of any proprietary or confidential Homifax information or data, including customer data; or
- Adversely impacting the operation of Homifax software or systems.
Security researchers must not violate any law, or access, use,alter or compromise in any manner any Homifax data.
If you have any questions regarding this policy or the guidanceabove, please contact our security team for guidance: securityreporting@homifax.com.
What to Expect
Upon receiving a vulnerability report, Homifax or itsrepresentatives will acknowledge it with an automated response. If furtherinformation is required for investigation, Homifax may reach out to thereporter(s). To safeguard our customers, we do not disclose, discuss, orconfirm security issues.
Public Notification
In order to protect our customers, Homifax requests thatsecurity researchers not post or share any information about a potentialvulnerability in any public setting until we have researched, responded to, andaddressed the reported vulnerability and informed customers and stakeholders asneeded. The time to address a valid, reported vulnerability will vary based onimpact of the potential vulnerability and affected systems.
Policy Definitions
Vulnerability: A weakness in thedesign, implementation, operation or internal control of a process that couldexpose the system to adverse threats from threat events.
Denial of Service (DoS): An attack on a servicefrom a single source that floods it with so many requests that it becomesoverwhelmed and is either stopped completely or operates at a significantlyreduced rate.
Distributed Denial of Service (DDoS): Anattack on a service from multiple compromised computer systems that floods itwith so many requests that it becomes overwhelmed and is either stoppedcompletely or operates at a significantly reduced rate, thereby denying serviceto legitimate users or systems.
Transport Layer Security (TLS): A protocol thatprovides communications privacy over the Internet. The protocol allowsclient/server applications to communicate in a way that is designed to preventeavesdropping, tampering, or message forgery.
Self-Cross-Site Scripting (XCSS): Asocial engineering attack to gain control of a victim's web accounts via thevictim unknowingly running malicious code on their own web browser.
Cross-Site Request Forgery (CSRF): Atype of malicious exploit of a web site where unauthorized commands aretransmitted from a user that the web site trusts. This is also known as a one-clickattack or session riding.
Effective Date
The effective date of this policy is May 20, 2023.