Responsible Disclosure Policy

Motionvillee Technology Pvt. Ltd. will engage with external security researchers when vulnerabilities are reported according to the rules set about in the responsible disclosure policy.

Rules

Any vulnerabilities submitted through this policy must adhere to the following rules:
  1. Submissions must adhere to the scope mentioned in this policy.
  2. Any information about the vulnerability must remain confidential between Motionvillee and yourself indefinitely.
  3. The vulnerability cannot be disclosed in any medium or form.
  4. Do not perform an attack that would compromise the integrity of Motionvillee’s services.
  5. DDOS for example is NOT allowed.
  6. You waive claims of any nature arising out of a disclosure accepted by Motionvillee.

Requests for Compensation

We do only provide Hall of Fame (Acknowledgement on our own Website) & not provide monetary compensation for any vulnerability reported. Requesting compensation will make you non-compliant with this policy. Motionvillee may however choose to send Certificate of Appreciation or Swag at its own discretion.

Scope

In Scope:

The following targets are considered in scope:
  1. Motionvillee Technology Pvt. Ltd.’s website located at https://motionvillee.com
  2. Motionvillee Technology Pvt. Ltd.’s web application located at https://{subdomain}.motionvillee.com

Out of scope:

  • Social engineering
  • DDOS
  • Automation scripts and tools
  • Any spelling mistakes
  • Any UI/UX bugs
  • Issues that do not affect the latest version of modern browsers
  • General best practice concerns
  • Same issue under multiple subdomains
  • Self XSS
  • Open Redirect without proven security impact
  • Brute Force attacks
  • Man-in-the-Middle attack
  • Clickjacking without proven security impact
  • Disclosed Google API keys
  • Verbose messages/errors without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Tab-nabbing
  • Host Header Injection
  • Cross-domain referrer leakage
  • Email spoofing, SPF, DMARC or DKIM
  • Email bombing
  • Version disclosure
  • Issues that require unlikely user interaction
  • Broken link hijacking (e.g. social media links)
  • Weak SSL/TLS configurations reports
  • Disclosing API keys without any security impact
  • Physical attacks – Attacks that require physical access to a victim’s device
  • Recently disclosed 0-day vulnerabilities in third-party products
  • Reports without proof of exploitation
  • Stripping EXIF data – We choose not to strip EXIF data since customers need them. This is by design.
  • Known issues

How to Submit a Vulnerability Report

All vulnerabilities must be reported to security@motionvillee.com with the following details:
Details:
  • Full Name:
  • Mobile Number:
  • LinkedIn Profile:
  • Bug Details:
  • Name of the Vulnerability:
  • Proof of concept:
  • Detailed steps to reproduce:
Preference, Prioritization, and Acceptance Criteria We will use the following criteria to prioritize and triage submissions.

What we would like to see from YOU:

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from MOTIONVILLEE:

  • A timely response to your email (within 3 business days).
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit/Acknowledgement/Certificate after the vulnerability has been validated and fixed.

Complying with this policy

As long as you follow the instructions laid out in this policy, Motionvillee Technology Pvt. Ltd. will commit to the following:
  • We will not pursue civil or criminal legal action against you or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the party concerned. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.
  • We will work with you to understand the vulnerability and fix it.
  • We will keep you informed of the timeline to fix the vulnerability, post verifying its authenticity.

Public disclosure

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
‍THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH THEY SHALL BE LIABLE FOR LEGAL PENALTIES.