Keeping our users' info safe & sound is a top priority for us at Sociolla. We truly appreciate your help as an external security researcher (hereinafter, we might refer you as researchers!) who assist us in finding & fixing vulnerabilities in our systems.

If you discover a security issue & responsibly report it to us, we won't take legal action or involve law enforcement. We value your contribution and want to reward you for helping us to keep our platform safe.

If you have any questions, feel free to email us at bugs@sociolla.com.

Thanks for your support!

Responsible Disclosure Policy

We're all about keeping things secure here at Sociolla. If you happen to stumble upon any security vulnerabilities in our systems or infrastructure, we'd love for you to let us know. In return, we ask that researchers follow our responsible disclosure policy, which includes:

1. Give us a bit of time to check out & fix the issues you report before making them public or sharing them with others.
2. Please do not interact with any individual user accounts.
3. Avoid violating anyone's privacy or causing disruptions, including but not limited to unauthorized access or data destruction. Let's keep our services up & running smoothly!
4. We trust that you'll act in good faith and take care to minimize any impact on our company & our esteemed users.
5. The security issues you find should be reported responsibly, not exploited for any reason. Let's keep things safe & sound!
6. Respect and obey any applicable law & regulations (including Indonesian Law), especially when it comes to unauthorized access to data.
7. Accessing user data or company data (including personally identifiable information) is strictly prohibited.
8. If you want to share the details of a vulnerability you've discovered, please give us a reasonable amount of time to fix it. And remember, you can only disclose it publicly after our team gives the green light, & at least three months after we've patched it up without disclosing any data related to our users accounts in any way or form.
9. We reserve the right to decide whether the reports you submit can be made public or not.
10. Reports with a 'critical' severity level can't be published solely by researchers.
11. Just a heads-up: If you publish reports without our consent (even for educational or publicity purposes), we will take legal action which we deem necessary.
12. Unless the reports are already validated & solved, then you may not publish them yet.

We take the security and privacy of our users seriously. To be eligible for the Bug Bounty Program, you must meet the following requirements:

1. Read & agree to our Bug Bounty Program Terms & Conditions.
2. Only submit a report via Google form .
3. Follow our Responsible Disclosure Policy found on our Bug Bounty Program page. We reserve the right to unilaterally amend the Responsible Disclosure Policy.
4. Report a security vulnerability that poses a risk to our systems or privacy. Please note, that we reserve the right to determine the risk of an issue or bug in the report, as not all software bugs are security issues & have security or privacy risk.
5. Report a problem involving one of the products or services listed in our Bug Bounty Program scope.
6. Give us a detailed report, including steps to recreate the issue.
7. Respond promptly to any inquiries or requests for more information.
8. Do not exploit or disclose the vulnerability for any reason beyond testing & validating your report.
9. We only accept the firstly-submitted comprehensive report.
10. Researchers must submit KYC (Know Your Customer) documents & supporting information, including but not limited to: Bank Information & Currency Information within 6 months since your bug reporting submission., Any reports & rewards are considered invalid in the event of researchers' failure to submit such documents & supporting information within the mentioned period.

Due to the volume of reports we receive, please understand that we investigate all valid reports promptly, prioritizing based on risk. We aim to acknowledge and respond within 5 Indonesian business days.

The bounty amount depends on factors, including (but not limited to) impact, ease of exploitation, and report quality. Bounty amounts and qualifying issues may change over time.

In case of duplicate reports, the first valid report receives the reward at our discretion. We may also publish reports with the permission of the researcher.

• In Scope Properties

  • *.sociolla.com
  • *.soco.id
  • iOS Application
  • Android Application

• In Scope Vulnerability

  • Authentication Bypass
  • Access Control Issues
  • Information disclosure of Sensitive Information
  • SQL/NoSQL Injection
  • Server-side Remote Code Execution (RCE)
  • Directory Traversal
  • XML External Entity Attacks (XXE)
  • Cross-site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Cross-site Request Forgery in Critical Action
  • File upload vulnerabilities
  • Exposed Administrative Panels that can be accessible by internal team
  • Server Side Template Injection (SSTI)

• Out of Scope Properties

  • 3rd Party Apps (Blog, Wordpress, CMS, Microsite, Even Inside sociolla.com/* ,etc.)
  • 3rd Party Plugins

• Out of Scope Vulnerability

  • Reports of spam (i.e., any report involving ability to send emails & SMS without rate limits).
  • Self-XSS (we require evidence on how the XSS can be used to attack another Sociolla user).
  • XSS issues that affect only outdated browsers.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Missing best practices (we require evidence of a security vulnerability).
  • Host header injections unless you can show how they can lead to stealing user data.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  • CSV injection.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
  • Missing autocomplete attributes.
  • Phishing risk via unicode/punycode or RTLO issues.
  • Being able to upload files with the wrong extension in the chooser.
  • Missing cookie flags on non-security-sensitive cookies.
  • Issues that require physical access to a victim's computer.
  • Missing security headers that do not present an immediate security vulnerability.
  • Physical or social engineering attempts (this includes phishing attacks against Sociolla employees).
  • Reflected File Download (RFD).
  • Most Brute Forcing issues.
  • Social Engineering (Phishing, Fraud, etc.).
  • Denial of Service Attacks.
  • window.opener (tabnabbing), related issues.
  • Content injection issues.
  • Fraud issues (please see the section below elaborating on this).
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Banner grabbing issues (figuring out what web server we use, etc.).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Recently disclosed 0day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
  • Entering the Sociolla offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted...
  • Open redirect (except you can get users token / sensitive info)
  • Clickjacking, we will accept clickjacking if it is severe enough (sensitive page).

• If you spot a security bug, submit a Google Form with us with a proof of concept. Include step-by-step instructions, screenshots, & a video showing how to recreate the vulnerability.
• When you write your report, please use your full legal name, matching the one on your ID & bank account info. If you accidentally stumble upon some classified info while hunting for bugs, give us a heads-up immediately.
• Our Bug Bounty Program doesn't allow any testing that invades privacy or messes with other users' experience. Let's keep it responsible. Work with our awesome security team to get those vulnerabilities fixed up quickly.

• Low: Certificate of Appreciation
• Medium: Reward $100 and a Certificate of Appreciation
• High: Reward $200 and a Certificate of Appreciation
• Critical: Reward $500 and a Certificate of Appreciation

Note: Rewards will be processed within 90 business days after a valid Bug Bounty Report is verified.