Vulnerability Disclosure Policy

We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Dokobit users.

Rewards

Dokobit provides rewards to vulnerability reporters at its discretion. Our minimum reward is 100 EUR. There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Here are minimum rewards for critical vulnerabilities affecting the Dokobit Document Signing Portal and Dokobit API services web application and server.

VulnerabilityReward
Remote Code Execution on servers€2 000
Significant Authentication Bypass€2 000
Cross Site Request Forgery on critical actions€1 000
Cross site scripting on www.dokobit.com working on all browsers€1 000

These values are indicative, and we reserve the right to determine amount or even whether a reward should be granted. We also might pay higher rewards for clever or severe vulnerabilities. We also pay extra bonus bounties for interesting/valuable research.

Applications in Scope

  • Dokobit Document Signing Portal – https://app.dokobit.com
  • Dokobit API sandboxes – https://developers.dokobit.com, https://gateway-sandbox.dokobit.com, https://id-sandbox.dokobit.com
  • Dokobit Portal API – https://app.dokobit.com/api
  • Dokobit Gateway – https://gateway.dokobit.com
  • Dokobit Identity Gateway https://id.dokobit.com
  • Dokobit E-Signing and E-Identification API – https://ws.dokobit.com

Eligibility and Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail.
  • Be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope.
  • Give us a reasonable time to respond to the issue before making any information about it public.
  • Do not access or modify our data or our users’ data without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes.
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Dokobit.
  • Otherwise comply with all applicable laws.

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

  • Our policies on presence/absence of SPF/DMARC records.
  • Password, email and account policies, such as email ID verification, reset link expiration, password complexity.
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
  • Login/logout CSRF.
  • Attacks requiring physical access to a user’s device.
  • Missing security headers that do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Hosting malware/arbitrary content on Dokobit and causing downloads.
  • Self-XSS (we require evidence on how the XSS can be used to attack another Dokobit user).
  • XSS on any site other than www.dokobit.com.
  • Missing HTTP security headers, specifically Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options,Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
  • SSL Issues, e.g. Attacks such as BEAST, BREACH, Renegotiation attack, SSL Forward secrecy not enabled, SSL weak / insecure cipher suites.
  • We will accept reports of XSS on other dokobit.com subdomains but will not reward for them.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports from automated tools or scans.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Social engineering of Dokobit employees or contractors.
  • Any physical attempts against Dokobit Company property.
  • Presence of autocomplete attribute on web forms.
  • Missing cookie flags on non-sensitive cookies.
  • Any access to data where the targeted user needs to be operating a rooted mobile device.
  • Any report on bypassing our storage limits etc. is out of scope.
  • We will only accept critical reports in blog.dokobit.com (e.g., RCE). Minor issues that can’t impact Dokobit users are out of scope.
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
  • Creating multiple account using same email is also out of scope.
  • Phishing risk via unicode/punycode or RTLO issues.
  • Being able to upload files with wrong extension in chooser.

Disclosure guidelines

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy.

The vulnerabilities shall be disclosed to our Cyber Incident Response Team by emailing cirt@dokobit.com. You can encrypt it with PGP using this Public Key.