Vulnerability Disclosure Program

Welcome to the TFT VDP Policy

At Think Future Technologies (TFT), security is paramount. We invite security researchers and ethical hackers to participate in our Vulnerability Disclosure Program. By reporting potential vulnerabilities and security issues in our technology services, libraries, solutions, and frameworks, you help us ensure the highest level of security for our clients. We value your expertise and partnership in enhancing our offerings and protecting our clients’ business outcomes. Join us in building a safer technological future.

Disclosure Policy

1. We request that you inform us promptly upon discovering a potential security vulnerability.Our team will work quickly to resolve the issue. 
2. We ask for a reasonable time period to resolve the issue before it is disclosed to the public or any third-party.
3. We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.

Reporting Guidelines

1. Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
2. You must include attachments such as screenshots or PoC code as necessary.
3. Include a clear attack scenario. How will this affect us exactly?
4. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

If you have discovered any vulnerability in the TFT platform, please submit it to our vulnerability disclosure program hosted by BugBase.

Visit BugBase

OR

The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to [email protected] with email containing below details with subject prefix with “Bug Name”. The mail should strictly follow the format below.

Subject: Bug: Vulnerability Name – Your Full Name

Email body:

• • Vulnerability Information:
    
    • Name of Vulnerability:
    • Vulnerability Category:
    • Description:
      
      • Vulnerable Instances:
      • Steps to Reproduce:
      • Proof of Concept:
      • Impact:
      • Recommendation:
  • Your details:
    
    • Full Name:
    • Email Address:
    • Mobile Number:
    • Any Publicly Identifiable profile:

Note: The TFT security team will review the submission and revert back within 7 working days.

Security Focus Areas

At TFT’s Vulnerability Disclosure Program, we prioritize the discovery of security vulnerabilities that directly impact the integrity and confidentiality of our technology ecosystem. We highly appreciate your efforts in helping us identify and rectify potential threats. Our program focuses on the following critical areas:

1. Admin Panel: Uncovering vulnerabilities in our admin panel that could lead to unauthorized access or compromise of sensitive data.
2. Open Ports: Identifying potential security risks associated with open ports, which could expose our systems to unauthorized external access.
3. Sensitive Information: Discovering instances where sensitive information might be inadequately protected, potentially leading to data leaks or unauthorized disclosures.
4. Contact Form: Highlighting vulnerabilities in our contact form to prevent potential exploits that might compromise user communication or data.
5. Form Submission: Examining the security of form submissions to ensure that user inputs are properly sanitized and validated to prevent potential attacks.
6. File Upload on Career Section: Identifying weaknesses in the file upload functionality within our career section to prevent potential malicious file uploads or unauthorized access.

Acknowledgements

We currently don’t operate a bounty or cash reward initiative for disclosures; however, we have various ways to show our appreciation for your valuable input. In cases of sincere and ethical disclosures, we’re more than willing to recognize your contribution publicly. This recognition can take the form of an acknowledgement in the dedicated section on our website. Of course, we’ll proceed with this gesture only if you’re comfortable with receiving public acknowledgement.

Hall of Fame Criteria

1. Your’s name and profile, with valid critical and high finding will be displayed in our “Hall of Fame” page
2. Your’s name and profile, with more than 5 new valid medium and low findings within 90 days, will also be displayed in our “Hall of Fame” page

Exclusions

Out of Scope Domains

1. Any subdomains of tftus.com unless mentioned “in-scope”
2. All testing and staging environments are out of scope for this program
   

Reports falling into the categories listed below are considered out of scope for our VDP program. :

1. Clickjacking on pages with no sensitive actions
2. Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
3. Attacks requiring MITM or physical access to a user’s device
4. Any activity that could lead to the disruption of our service (DoS)
5. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
6. Rate limiting or bruteforce issues on non-authentication endpoints
7. Missing security headers
8. Self XSS
9. Missing HttpOnly or Secure flags on cookies
10. Weak password policies
11. Session hijacking
12. Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
13. Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
14. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors) / Known public files or directories disclosure (e.g. robots.txt, css/images etc)
15. Public Zero-day vulnerabilities that have had an official patch for less than 1 month
16. Tabnabbing
17. Open redirect – unless an additional security impact can be demonstrated
18. Issues that require exceedingly unlikely user interaction
19. Spamming (e.g. SMS/Email Bombing).