{"id":34,"date":"2021-04-25T23:42:00","date_gmt":"2021-04-25T16:42:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=34"},"modified":"2025-10-14T17:16:25","modified_gmt":"2025-10-14T10:16:25","slug":"vulnerability-disclosure-program","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/vulnerability-disclosure-program\/","title":{"rendered":"N45HT Vulnerability Disclosure Program"},"content":{"rendered":"\n<p>No technology is perfect, and N45HT believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you&#8217;ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Response Targets<\/h4>\n\n\n\n<p>N45HT will make the best effort to meet the following response targets.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>Type of response<\/th><th>Business day<\/th><\/tr><tr><td>First response<\/td><td>3 business days<\/td><\/tr><tr><td>Triage<\/td><td>7 business days<\/td><\/tr><tr><td>Resolution<\/td><td>30 business days<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Report Security Vulnerability<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Please provide details of the issue, including the Proof of Concept, URL Vulnerability, and detailed reproduction steps.<\/li>\n\n\n\n<li>Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.<\/li>\n\n\n\n<li>Social engineering is prohibited.<\/li>\n\n\n\n<li>Do not perform DoS or DDoS attacks.<\/li>\n\n\n\n<li>Please use English or Indonesian when submitting a Security Vulnerability.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Exceptions and Rules<\/h4>\n\n\n\n<p>Any activity that would disrupt, damage, or adversely affect any third-party data or account is not allowed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Assets in scope<\/h4>\n\n\n\n<p>Domains\/App not listed below are not in scope.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>Type<\/th><th>Identifier<\/th><\/tr><tr><td>Domain<\/td><td>n45ht.or.id<\/td><\/tr><tr><td>Domain<\/td><td>ctf.n45ht.or.id<\/td><\/tr><tr><td>Domain<\/td><td>api.n45ht.or.id<\/td><\/tr><tr><td>Domain<\/td><td>xssr.n45ht.or.id<\/td><\/tr><tr><td>Domain<\/td><td>auth.n45ht.or.id<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Assets out of scope<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>Type<\/th><th>Identifier<\/th><\/tr><tr><td>Chrome Extensions<\/td><td>XSSRush.crx<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">In Scope Vulnerability<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SQL Injection<\/li>\n\n\n\n<li>Access Control Issues<\/li>\n\n\n\n<li>Cross-site Scripting (XSS)<\/li>\n\n\n\n<li>Remote Code Execution (RCE)<\/li>\n\n\n\n<li>XML External Entity Attacks (XXE)<\/li>\n\n\n\n<li>Server-side Request Forgery (SSRF)<\/li>\n\n\n\n<li>Cross-site Request Forgery (CSRF)<\/li>\n\n\n\n<li>Unchecked URL-redirection<\/li>\n\n\n\n<li>Privilege Escalation<\/li>\n\n\n\n<li>Directory Traversal<\/li>\n\n\n\n<li>Sensitive Information Disclosure<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Out of Scope Vulnerability<\/h4>\n\n\n\n<p>The following actions do not qualify for the Vulnerability Disclosure Program and should not be tested by researchers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Self-XSS<\/li>\n\n\n\n<li>Text Injection<\/li>\n\n\n\n<li>HTML Injection (In some cases, we are still considering this vulnerability.)<\/li>\n\n\n\n<li>Phishing Attacks<\/li>\n\n\n\n<li>Bruteforce Attacks or User Enumeration<\/li>\n\n\n\n<li>Denial of Service Attacks<\/li>\n\n\n\n<li>Login\/logout\/low-impact CSRF<\/li>\n\n\n\n<li>CSRF on forms that available to anonymous users<\/li>\n\n\n\n<li>Social Engineering<\/li>\n\n\n\n<li>DNS Attack through Social Engineering<\/li>\n\n\n\n<li>Clickjacking\/UI redressing<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Rewards<\/h4>\n\n\n\n<p>At this time we not awarding bounties for reported vulnerabilities.<\/p>\n\n\n\n<p><strong>Submit Vulnerability Report<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/n45ht.or.id\/security\">https:\/\/n45ht.or.id\/security<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/hackerone.com\/n45ht\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/hackerone.com\/n45ht<\/a><\/li>\n<\/ul>\n\n\n\n<p>Thank you for helping keep N45HT and our users safe!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>No technology is perfect, and N45HT believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you&#8217;ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Response Targets [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[18],"class_list":["post-34","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-vdp"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/34","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=34"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/34\/revisions"}],"predecessor-version":[{"id":36,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/34\/revisions\/36"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/294"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}