VIDIO BUG BOUNTY PROGRAM

Vidio invites security researchers, hackers, and the general public to participate in our Bug Bounty program, aimed at discovering and addressing security vulnerabilities in our website and mobile applications. We value your commitment to enhancing the security of our services and are eager to collaborate with you in this effort. If you find any method of stealing our content, please inform us as we are interested in exploring it further. Good luck and enjoy the hunt!

Reporting

If you believe you have discovered a security flaw in the Vidio service, please report it immediately. We will talk about it and work together to find a solution.

Please read and understand the following information and regulations before conducting a security research experiment on Vidio:

♦ You are only allowed to use your account for security checks and must not harm other users or the system in Vidio.
♦ You may not publish the findings of a security vulnerability to the general public without our permission.
♦ You may only publish security flaw findings that are considered valid, not duplicates, and have gone through our verification process.
♦ It would be best if you did not exploit the security holes found for personal or group interests.
♦ Vidio will not impose sanctions or legal action on security researchers as long as it complies with the rules of the Bug Bounty program.
♦ Vidio will impose sanctions and legal steps against those who do not follow the regulations based on applicable law, including but not limited to the Law of the Republic of Indonesia No. 11 of 2008 concerning Information and Electronic Transactions or other local laws in the field of information and electronic transactions.
♦ By joining this program, you are aware of all the information above and agree to be bound by the rules that have been mentioned.

Reporting Step

You can report your findings to security [at] vidio.com by writing an explanation and sending it to them. The following items must be included in your report:

♦ Types of security vulnerabilities found.
♦ Short steps are needed to reproduce your findings.
♦ Proof of Concept (PoC) in an image or video. Please attach it to the email.
♦ The impact that this security hole can cause.
♦ Suggestions/remediation in fixing security holes.

Rewards

Our rewards are impact-based. What that means is we will issue a relatively high reward for any vulnerability which potentially leaks sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface the microsite. When we have our reward meetings, we always ask one question: If a malicious attacker abuses this, how bad are we affected by it? We assume the worse and pay out the bug accordingly. If we receive a report for the same issue, we would only offer the bounty to the earliest reporter for which we had enough actionable information to identify the issue. We do not want to encourage people spamming us with vague issues in an attempt to be first.

At the end of the day, all reward payouts are at our discretion, but we aim to be fair. Some researchers won't agree with our decisions, but we are paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and in many cases generous. We will adapt as the program continues. By receiving the reward, it would mean that the bounty has been accepted and the terms and conditions of not disclosing the bounty to public applies.

TERMS & CONDITIONS

Please keep in mind that your participation in the Bug Bounty Program is entirely voluntary and is subject to the terms and conditions outlined on this page ("Terms & Conditions"). You acknowledge that you have read and agree to these Program Terms by submitting a site or product vulnerability to Vidio.

Prohibited Testing

♦ Non-technical attacks like social engineering, phishing, or unauthorized infrastructure access are prohibited.
♦ Do not launch any attacks that could disrupt our services (e.g., DDoS/Spam).
♦ Do not attack our end users in any way, and do not trade stolen user credentials.
♦ It is strictly forbidden to use automated scanners and tools to find vulnerabilities.
♦ Do not perform automated/scripted testing on web forms, particularly "Contact Us" forms designed to allow customers to contact our support team.
♦ You may test for vulnerabilities in your own or test accounts, but not in others' data or access.

In-Scope Domain

♦ vidio.com
♦ www.vidio.com
♦ m.vidio.com
♦ api.vidio.com
♦ vid.id
♦ Android applications
♦ iOS applications
♦ AndroidTV, tvOS, ReactTV

In-Scope Vulnerability Classes

Content Protection and DRM Issues:

♦ DRM Bypass and Cracking: Exploits or methods for circumventing Digital Rights Management (DRM) protections.
♦ Screensharing and HDCP Vulnerabilities: Issues related to unauthorized screensharing or weaknesses in High-bandwidth Digital Content Protection (HDCP).
♦ Content Piracy: Includes Credential Theft, Session Token Theft, Content Key Decryption, and Geo-Blocking Bypass.
♦ Replay and Redistribution Attacks: Capturing and replaying protected content streams or unauthorized redistribution of protected content.
♦ Content Watermarking and Fingerprinting Attacks: Exploits related to watermarking systems and digital fingerprints used for content protection.
♦ License Management Vulnerabilities: Issues with systems managing licenses or rights for accessing protected content.

General Vulnerability Classes:

♦ Cross-site Scripting (XSS)
♦ Cross-site Request Forgery (CSRF)
♦ Server-Side Request Forgery (SSRF)
♦ SQL Injection
♦ Server-side Remote Code Execution (RCE)
♦ XML External Entity Attacks (XXE)
♦ Access Control Issues: Insecure Direct Object Reference (IDOR) and similar issues.
♦ Exposed Administrative Panels: Panels that do not require login credentials.
♦ Directory Traversal Issues
♦ Local File Disclosure (LFD)
♦ Misconfiguration Issues: Problems with server or application configuration.
♦ Significant Authentication Bypass
♦ Information Disclosure: Exposure of sensitive information.
♦ Server-Side Template Injection (SSTI)
♦ Leaked Private Keys
♦ Local/Remote File Inclusion (LFI/RFI)

Out-of-scope Vulnerability Classes

♦ Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
♦ Publicly accessible login panels - These generally have low security impact and are in software that Vidio runs but doesn’t control.
♦ Reports that state that software is out of date/vulnerable without a proof of concept.
♦ Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
♦ XSS issues that affect only outdated browsers.
♦ Stack traces that disclose information.
♦ CSV injection. Please see this article.
♦ Missing best practices (we require evidence of a security vulnerability).
♦ Highly speculative reports about theoretical damage. Be concrete.
♦ Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
♦ Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
♦ Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
♦ Denial of Service Attacks.
♦ Reflected File Download (RFD).
♦ window.opener-related issues.
♦ Physical or social engineering attempts (this includes phishing attacks against PT Vidio Dot Com employees).
♦ Content injection issues.
♦ Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
♦ Missing autocomplete attributes.
♦ Missing cookie flags on non-security-sensitive cookies.
♦ Issues that require physical access to a victim’s computer.
♦ Missing security headers that do not present an immediate security vulnerability.
♦ Fraud issues.
♦ SSL/TLS scan reports (this means output from sites such as SSL Labs).
♦ Banner grabbing issues (figuring out what web server we use, etc.).
♦ Open ports without an accompanying proof-of-concept demonstrating vulnerability.
♦ Recently disclosed 0 day vulnerabilities. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
♦ Disclosure of known public files or directories.
♦ Use of a known-vulnerable library without a description of an exploit specific to our implementation.
♦ OPTIONS / TRACE HTTP method enabled.
♦ Cookies that keep working after logout.
♦ Presence of autocomplete attribute on web forms.
♦ Cookies that lack HTTP Only or Secure settings for non-sensitive data.
♦ Issues related to networking protocols or industry standards.
♦ Username enumeration based on login, forgot password, account creation and registration pages. Enforcement policies for brute force or account lockout.
♦ Unrealistically complicated clickjacking attacks.
♦ Mail configuration issues including SPF, DKIM, DMARC settings.
♦ Password or account recovery policies, such as reset link expiration or password complexity.
♦ Publicly accessible login panels.
♦ Content spoofing / text injection.
♦ Mixed content issues.
♦ XMLRPC bug.
♦ Issues related to active sessions after password changes.
♦ Hyperlink injection in emails using forms available to any user.
♦ Reports of credentials exposed by other data breaches / known credential lists.
♦ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. * presence/misconfiguration in these.
♦ Man-in-the-Middle attacks, except for sensitive information such as passwords.
♦ Functional product defects, garbled pages, style mixing, file path traversals that do not cause business impact.
♦ Lack of root detection in mobile apps.
♦ Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.
♦ Rate limiting, brute force attack.
♦ Vulnerabilities found in third party services.
♦ EXIF data not stripped on images.
♦ Phishing risk via unicode/punycode or RTLO issues.
♦ Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only.
♦ Recently disclosed 0day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
♦ Entering the SCTV Tower, throwing popcorn everywhere, unleashing a bunch of cats, and hijacking our servers while engineers are distracted...

Confidentiality

Bounty must keep confidential any related material or information about Vidio bugs that Bounty learns, either directly or indirectly, in writing, electronically, orally, or by examining natural objects ("Confidential Information"). Prizes may not disclose any Confidential Information to third parties, unless expressly permitted by Vidio. Bounty shall take reasonable steps to protect the confidentiality of, and avoid the disclosure and unauthorized use of, Confidential Information, including, but not limited to, restricting disclosure of such Confidential Information to third parties who have been advised of its confidential nature. And have agreed not to disclose or use such Confidential Information in any way other than as authorized by Vidio. Any unauthorized or suspected use or disclosure of Confidential Information by Bounty must be reported immediately to Vidio. Despite the foregoing, the Bounty has no obligation hereunder for any information that the Bounty knew prior to Vidio's exposure; was publicly available through no fault of the Bounty; was legally and legally disclosed to the Bounty by a third party without any obligation of confidentiality to Vidio; or was independently developed by Bounty without reference to Confidential Information.

Changes to Program Terms

Vidio reserves the right to change or cancel the Bug Bounty Program, including its policies, at any time and without notice. As a result, Vidio reserves the right to change these Program Terms and policies at any time by posting a revised version on our website. You accept the Program Terms, as amended, by participating in the Bug Bounty Program after Vidio posts the changes.

Hall of Fame

This page is dedicated to you. We are honored to have your name displayed here.

♦ Awaken Sin
♦ Putra Aji Adhari
♦ Foysal Ahmed Fahim
♦ Rafi Andhika Galuh
♦ Andika Fransisco
♦ Amir Farhan
♦ Ardyan Vicky Ramadhan
♦ Guarded Researcher
♦ Bagas
♦ Aidil Arief
♦ Aman
♦ amirfaki234@gmail.com
♦ Koutrouss
♦ Helmay Cahyadi
♦ Tushar Sharma
♦ Ashutosh Shukla
♦ Udin Gans
♦ Raman Mohurle
♦ Faiz Hanafi
♦ Nitish Shah
♦ Eric Head
♦ Rifa'i Rejal Maynando
♦ Ade Krisna
♦ Rovel Prasetya
♦ Aviad Carmel - Salt Security
♦ Aditya Alfiki
♦ Bagas
♦ Arez TheHopeBuster
♦ Galatia Sijabat
♦ Soultan Muhammad Albar
♦ Mahendra Nanda
♦ Azhari Harahap x2
♦ Maulana Noer Fauzy
♦ Rama Aryo Prambudi