Responsible Disclosure

We appreciate your interest in our program for responsible disclosure. We value the help of security researchers and individuals in spotting and reporting potential flaws since we take the security of our systems and user data seriously. This program provides instructions for the proper disclosure of any identified security flaws.

Scope

Any of the Rently services iOS, Android, or Web apps, which process, store, transfer, or use in one way personal or sensitive personal information, such as card data and authentication data.

Domains: *.rently.com
iOS Apps: All the iOS applications present here
Android Apps: All the Android applications present here

Reporting Process

How to Report?

We ask that you responsibly submit any information involving security flaws you find in our systems promptly. We take security concerns seriously and act quickly to address substantiated security concerns. We’ll give you a spot on our Hall of Fame page as our way of saying thanks if you are the first to report a valid security issue. Anyone is welcome to send security-related reports to [email protected].

What should be in the report?

When reporting a vulnerability, please include all relevant information that will allow us to understand and reproduce the issue. This should include a clear description of the vulnerability, steps to reproduce it, and any supporting materials like screenshots or proof-of-concept code.

Email Format:

Name: %name

Bug type: %bugtype

Domain: %domain

Severity: %severity

URL: %url

PoC: %poc

 

What are the next steps?

  1. Upon receiving your report, our security team will acknowledge the receipt within 15 days. We will then investigate the issue and, if necessary, engage with you to gather additional information or clarify any details.
  2. We strongly support responsible disclosure. We ask that you hold off on making the vulnerability public until we have had enough time to look into it and fix it. We promise to keep your findings completely confidential, and we’ll cooperate with you to address the vulnerability and recognize your contribution.
  3. Once the vulnerability is verified and resolved, we will notify you of the fix and, if desired, provide appropriate credit for your responsible disclosure. We value your contributions and may acknowledge your efforts in our security advisories or Hall of Fame, subject to your consent.

Our Focus Areas

  1. SQL injection
  2. Remote Code Execution (RCE) Vulnerability
  3. Authentication and authorization vulnerabilities, including horizontal and vertical escalation. (Use 2 different test accounts created by you)
  4. Domain Takeover Vulnerability
  5. Stored XSS, DOM XSS, Blind XSS, IDOR, SSRF
  6. Massive leak of sensitive user information
  7. Any vulnerability that could affect the Rently brand, user (customer/seller) data, and financial transactions

What are not eligible?

  1. Duplicate submissions and Known Issues
  2. Rate cap (unless it involves a serious data threat or loss of business)
  3. Third-party software such as Salesforce, Domo, WordPress on WPengine, etc.
  4. High severity CVEs within the last 6 months.
  5. 0day exploits unless the product is made by Rently brands.
  6. Configuration and best practices such as SPF/DMARC, missing security headers including CSP, or insecure SSL/TLS ciphers that do not lead to an exploit.
  7. Information disclosure includes software version, file path, email, and IP addresses.
  8. PoC that solely rely on DNS lookup or HTTP request from tools such as Burp collaborator or webhook.site.
  9. Lack of Secure/HTTPOnly flags and CSRF tokens on non-sensitive pages (anonymous form or logout page).
  10.   Clickjacking that does not exist in our in-scope pages.
  11.   Cross-domain leakage.
  12.   Open redirects, unless the impact is high.
  13.   Email and account policies such as reset method and password complexity.
  14.   Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as an input being reflected in the response.
  15.   Exploits that require physical access to the victim’s device.
  16.   Demo and testing sites.
  17.   Missing CAA title
  18.   Networking issues or industry standards
  19.   Disclosure of known public files or directories, (e.g. robots.txt, wpcron.php)
  20.   Cacheable SSL pages
  21.   Bruteforce
  22.   Missing captcha
  23.   Session timeouts

The following are strictly prohibited:

  1. Do not leave any system in an unusable state. Simply leaving a text file to demonstrate you have access to the system is sufficient.
  2. Do not test any domain or subdomains not listed above unless authorized.
  3. Do not perform denial of service (DOS / DDOS) attacks including testing of rate limits and brute force.
  4. Do not perform physical attacks against our offices and data centers.
  5. Do not perform social engineering of our service desk, employees, or contractors.
  6. Do not compromise our users and employee accounts, including interacting with accounts you do not own.
  7. Do not exfiltrate any data.
  8. Do not mass-create accounts or services.

Automated scanning tools such as Burp, Zap, Nessus, OpenVAS, etc. are allowed. However, we do not accept reports generated from scanning tools. Please also be mindful of denial of service when using those tools.

Legal

Under no circumstances should your testing and reporting of a security vulnerability affect the availability of Rently’s services, violate Rently’s Terms of Service, or disrupt or compromise any data that is not your own.

Please note that this Responsible Disclosure Program does not grant any permission to perform any testing or activities that may violate applicable laws or compromise the privacy and security of our systems and users.

To be eligible for the program, you must not be employed by Rently, or be a family member of a person employed by Rently.
Rently reserves the right to modify the terms of or cancel the program at any time. In addition, this program is void where prohibited by law.

Important Information

Rently would like to thank the people who have contributed to securing our network, applications, and users. Anyone who has made a report following the guidelines in the Responsible Disclosure policy can be included in the Hall of Fame.

Thank you for your cooperation in helping us maintain the security of our systems. Your responsible disclosure is greatly appreciated.


Hall of Fame

Rently would like to thank the people who have contributed to securing our network, applications, and users. Anyone who has made a report following the guidelines in the Responsible Disclosure policy can be included in the Hall of Fame.

HoF Members | 2023
    • Reporter # reports in 2023
      Syed 1
      Aditya Saxena 3
      Anupam 2
      Gokul AP 1
      Derick Downss 2
      Palwasha 1
      Shashank Chaudhary 1
      Parth Narula 1
      Suraj Kumar 1
HoF Members | 2022
    • Reporter # reports in 2022
      Palwasha 1
      Burhan 6
      Alvi Alex 1
HoF Members | 2021
    • Reporter # reports in 2021
      HackerAhmed 1
      Pritam Dash 2