HOSTING24

Hostinger Responsible Disclosure Policy and Bug Rewards Program

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES.

Last Revised: 2020-05-25 13:08:37

POLICY OF RESPONSIBLE DISCLOSURE

At Hostinger International Ltd, we promote responsible disclosure of all security vulnerabilities on our website or in any of our services. To encourage this responsible disclosure, we agree that if, in Hostinger’s sole discretion, we settle that any disclosure meets complete guidelines of Bug Rewards Program of Hostinger International Ltd, we will not raise any criminal or private legal action counter to the disclosing party.

BUG REWARDS PROGRAM

Hostinger International Ltd. offers monetary bounties for the responsible disclosure of certain qualifying security vulnerabilities. Our Bug Rewards Program works as follows

SERVICES IN SCOPE:

All subdomains under hostinger.com are in-scope except the ones used in 3rd party services, e.g.:

QUALIFYING VULNERABILITIES:

Hostinger International Ltd. will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible Hostinger International Ltd. service. Eligible vulnerabilities include, but are not limited to:

Non-Qualifying Vulnerabilities

If a domain is not contained inside hostinger.com, it will not be included in the scope of third party programs, plug-ins and the Bug Rewards Program.

All researchers participating in the Bug Rewards Program may please note that certain actions do not come within the scope of this program. The non-qualifying actions under the Bug Rewards Program are:

  1. Click-jacking
  2. Cross Site Scripting (XSS)
  3. Phishing attacks
  4. Missing SPF/DKIM/DMARC records
  5. Cross Site Request Forgery (CSRF)
  6. Man-in-the-middle attack (MITM), also known as a hijack attack
  7. Physical attacks
  8. DoS, DdoS attacks, user enumeration or brute force
  9. Bugs dependent on Social engineering
  10. Directory listing (unless sensitive data is found)
  11. Blackhat SEO strategies
  12. Bugs depending on out-of-date browsers
  13. BEAST/ CRIME attacks
  14. Logout CSRF
  15. Version or Banner disclosures
  16. Any reports generated from computerized vulnerability scanners are not accepted at Hostinger.

BOUNTIES:

All bounties are awarded at the discretion of the Hostinger International Ltd. Bug Rewards Team, based on the severity of the reported vulnerability. Where an award is made, the minimum amount of the bounty will be Fifty Dollars ($50.00). Only one (1) bounty will be awarded per security bug. The awards will be made to the first researcher to responsibly disclose a particular bug.

Investigating and Reporting:

The security researcher submitting a vulnerability must thoroughly vet and confirm the vulnerability prior to submission. All submissions must include the following:

To report a vulnerability, please send an email to [email protected]

BEST PRACTICES FOR GOOD REPORTS

Making a detailed and step by step report for bug reproducing is recommended. Please include all details such as links clicked, User Ids and links of web pages visited.
Adding more details such as images and videos helps make it clear. Do add any image captions or brief descriptions wherever possible to make the information more useful.
Vulnerability verification becomes easier and quicker by using consistently reliable exploit code.

CONFIDENTIALITY

All information and data accessed or collected under the Bug Rewards Program about Hostinger’s employees or Hostinger International Ltd, has to be kept absolutely confidential and to be used only for actions directly connected to the Program. Any confidential information needs Hostinger’s written consent before it’s disclosure. Vulnerabilities can be disclosed only after all suitable remediation has been completed.  If any confidential information is disclosed without Hostinger’s prior written consent, it will lead to an immediate elimination from the Program.

LEGAL

When you participate in Hostinger’s Bug Rewards Program, you confirm that you have read and understood Hostinger’s Privacy Policy and Universal Terms of Service Agreement. Any of your testing actions should not disrupt any services, compromise any data that’s not yours or violate any applicable law.  You further confirm that you will be solely responsible for all withholdings and taxes that directly arise when you participate in the Bug Rewards Program of Hostinger, including the rewards received.
If and when Hostinger uses any third-party service provider to manage its Bug Rewards Program, the provider’s terms and conditions will be applicable. Hostinger has the final discretion to pay or not pay the reward. Since this is a discretionary rewards program, it is liable for cancellation at any given time.