Updated: March 12th, 2019
Overview
If you've found a security vulnerability, we'd like to address the issue. We welcome responsible security researchers from the community who want to help us improve our products and services.
Please privately notify us and give us at least 30 days to address the problem before making any kind of public disclose, particularly if the vulnerability is sensitive in nature. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue, and address the issue in a manner consistent with its severity.
Monarx, Inc is currently not rewarding cash prizes or swag for reporting vulnerabilities. We hope to offer both in the near future via a Bug Bounty Platform such as HackerOne or BugCrowd; however, until then, your submission will be met with gratitude and glory. If you would like to report a vulnerability, please abide by these rules:
• Don't attempt to gain access to another user’s account or data.
• Don't attempt to degrade the services.
• Don't impact other users with your testing or access their data.
• Don't bombard our infrastructure using large lists for fuzzers, scanners, or other automated tools to find vulnerabilities.
In-Scope Services
We want to know about any significant issues on any of our domains:
monarx.com
*.monarx.com
monarx.io
*.monarx.io
We are chiefly interested high or critical vulnerabilities, which result in RCE, LFI, SQLi, injection or similar exploits. Please exercise reasonable discernment in what you choose to submit, include ample instructions and a working POC if you are able, and do not send us low severity issues or best practices. We are not able to provide test credentials to researchers at this time.
Out-of-Scope Issues
The following types of reports/attacks are out of scope. Do not attempt them:
• DOS attacks
• Do NOT access customer data
• Brute force attacks
• Physical vulnerabilities
• Social engineering attacks
• Anything related to our emails
• CSRF issues
• Self-XSS and issues exploitable only through self-XSS
• Clickjacking and issues only exploitable through clickjacking
Safe Harbor
We are committed to protecting the interests of Security Researchers. We will not pursue legal action against responsible researchers whose behavior matches the above guidelines, is reasonable and prudent, and is consistent with industry standards.
Contact
If you choose to email us, encrypting your email is not required.
Please send reports to security@monarx.com