We appreciate your interest in our program for responsible disclosure. We value the help of security researchers and individuals in spotting and reporting potential flaws since we take the security of our systems and user data seriously. This program provides instructions for the proper disclosure of any identified security flaws.
Scope
Any of the Rently services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
Domains: | *.rently.com |
iOS Apps: | All the iOS applications present here |
Android Apps: | All the Android applications present here |
Reporting Process
How to Report?
We ask that you responsibly submit any information involving security flaws you find in our systems promptly. We take security concerns seriously and act quickly to address substantiated security concerns. We’ll give you a spot in our hall of fame page as our way of saying thanks if you are the first to report a valid security issue. Anyone is welcome to send security-related reports to [email protected].
What should be in the report?
When reporting a vulnerability, please include all relevant information that will allow us to understand and reproduce the issue.This should include a clear description of the vulnerability, steps to reproduce it, and any supporting materials like screenshots or proof-of-concept code.
Email Format:
Name: %name Bug type: %bugtype Domain: %domain Severity: %severity URL: %url PoC: %poc
What are the next steps?
- Upon receiving your report, our security team will acknowledge the receipt within 15 days. We will then investigate the issue and, if necessary, engage with you to gather additional information or clarify any details.
- We strongly support responsible disclosure. We ask that you hold off on making the vulnerability public until we have had enough time to look into it and fix it. We promise to keep your findings completely confidential, and we’ll cooperate with you to address the vulnerability and recognize your contribution.
- Once the vulnerability is verified and resolved, we will notify you of the fix and, if desired, provide appropriate credit for your responsible disclosure. We value your contributions and may acknowledge your efforts in our security advisories or Hall of Fame, subject to your consent.
Our Focus Areas
- SQL injection
- Remote Code Execution (RCE) Vulnerability
- Authentication and authorization vulnerabilities, including horizontal and vertical escalation. (Use 2 different test accounts created by you)
- Domain Takeover Vulnerability
- Stored XSS, DOM XSS, Blind XSS, IDOR, SSRF
- Massive leak of sensitive user information
- Any vulnerability that could affect the Rently brand, user (customer/seller) data and financial transactions
What are not eligible?
- Duplicate submissions and Known Issues
- Rate cap (unless it involves a serious data threat, loss of business)
- Missing CAA title
- The vulnerabilities require physical access to the victim’s unlocked device
- Self-XSS is DOM based and problems are only possible through Self-XSS
System and Infrastructure Related
- DOS and DDOS attacks
- Patches released within the last 120 days
- Networking issues or industry standards
- Password complexity
- Email related:
- SPF or DMARC records
- Gmail “+” and “.” acceptance
- Email bombs
- Unsubscribing from marketing emails
- Information Leakage:
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Cacheable SSL pages
Login and Session Related
- Bruteforce
- Missing captcha
- Session timeouts
Important Information
We request that you refrain from any malicious activities, such as exploiting the vulnerability or accessing unauthorized data. Your activities should strictly adhere to legal and ethical standards.
Please note that this Responsible Disclosure Program does not grant any permission to perform any testing or activities that may violate applicable laws or compromise the privacy and security of our systems and users.
Thank you for your cooperation in helping us maintain the security of our systems. Your responsible disclosure is greatly appreciated.
Hall of Fame
Rently would like to thank the people who have contributed to securing our network, applications, and users. Anyone who has made a report in accordance with the guidelines in the Responsible Disclosure policy can be included in the Hall of Fame.
HoF Members | 2022
-
-
Reporter # reports in 2023 Miguel Mendoza 2 Miguel Mendoza 3 Miguel Mendoza 2
-
HoF Members | 2023
-
-
Reporter # reports in 2023 Miguel Mendoza 2 Miguel Mendoza 3 Miguel Mendoza 2
-