Bug Bounty Program

Mannapov, LLC is a wholesale reseller of mobile devices and developer of mobile device processing software. The company offers a suite of products and services for its customers to identify, diagnose and clear mobile devices of data. Mannapov recognizes that the security community is a force multiplier in our quest to provide a safe and secure experience for Mannapov’s customers. To that end, we welcome the contributions of security researchers and strive to provide the best vulnerability disclosure experience possible.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Minors

Minors are welcome to participate in the program by submitting issues for review. However, the Children’s Online Privacy Protection Act (COPPA) restricts our ability to collect personal information from children under 13, so minors who are 12 years old or younger must have their parent or legal guardian submit their information in order to claim a bounty.

Ratings/Reward

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. (https://bugcrowd.com/vulnerability-rating-taxonomy) However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority.

Please note that the following classes will be marked as (Won’t Fix): P5 – Open Redirect GET-Based

Program Rules

Do not perform testing that involves Recurring and/or scheduled scans on our platform.
Do not perform testing that involves enumerating and/or Brute Forcing Login and/or Registration.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Scope

Apps/API – In Scope

ICE Universal^TM Desktop Application
ICE Enterprise^TM Desktop Application
ICE Enterprise^TM Extended Diagnostics Android Mobile Application
ICE Enterprise^TM Extended Diagnostics iOS Mobile Application
ICE Q^TM Desktop Application

Web/API – In Scope

MannapovLLC.com
*.icedb.com
ICE.Services
useICEnow.com

Out Of Scope

iOS/Android/Desktop Apps:

Enumerating and/or Brute Forcing Login and/or Registration.
Attacks requiring physical access to a user’s device.
Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries.
Path disclosure in the binary.
Lack of jailbreak detection.
Lack of binary protection (anti-debugging) controls.
Lack of root detection.
Lack of obfuscation
Lack of binary protection
OAuth “app secret” hard-coded/recoverable in apk.
Crashes due to malformed URL Schemes.
Snapshot/Pasteboard leakage.
Runtime hacking exploits (exploits only possible in a jailbroken environment).
User data stored unencrypted on the file system on rooted devices.
Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.
Bypass certificate pinning on rooted devices.
Sensitive information retained as plaintext in the device’s memory.
Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened.
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope).
OAuth “app secret” hard-coded/recoverable in apk.
Sensitive data retrieved as plaintext from disk on rooted devices.
Reports from static analysis of the binary without an accompanying PoC that exploits some business logic or security control.
Any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Web/API:

Enumerating and/or Brute Forcing Login and/or Registration.
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user’s device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Issues that are a result of pivoting – the only proof of initial foothold is necessary.
Support tickets (zendesk.creditkarma.com and help.creditkarma.com).
Spam (including issues related to SPF/DKIM/DMARC).
Fingerprinting/banner disclosure on common/public services.
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Reports About Weak Password Policy.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Lack of Captcha/reCaptcha.
Lack of 2-factor authentication.
HTTPS Mixed Content Scripts.
SSL/TLS scan reports (this means output from sites such as SSL Labs).
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
XMLRPC related brute-force/enumeration/DDoS Attacks

Rewards

P5 – $50
P4 – $100
P3 – $250
P2 – $500
P1 – $1000

Program rules

This program follows “Bugcrowd’s” standard disclosure terms. https://www.bugcrowd.com/resources/essentials/standard-disclosure-terms/
For any testing issues (such as broken credentials, or inaccessible application) please email [email protected]. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings.
This program is not intended for current Mannapov, LLC employees or their families.
This program is not open to individuals who reside in China, Cuba, Iran, North Korea, Russia, Sudan, Syria, or Venezuela.

Disclosure

In the interest of fostering coordinated disclosure, Mannapov will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.

Payment

If order to process payment rewards we will need a W-9 for U.S. Citizens and W-8BEN for individuals out residing outside the U.S. Additionally we will need the following information:

Name (Must match name on banking information
Physical Address (Must match address on banking info
Preferred payment method: Check, Wire, ACH (All require fulle legal name and address)
If selecting Wire transfer we’ll additionally need
- International SWIFT code
- Bank Name
- Bank Address
- Bank Account and Routing Number
If selecting ACH we’ll additionally need
- Bank Name
- Bank Address
- Bank Account
- Bank Routing Number