Airmeet's Responsible Disclosure Policy

Airmeet takes the security of its products and services very seriously. We believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment to ensure stringent quality standards for the security of these systems. This Responsible Disclosure Policy (“Policy“) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community.

If you believe you have found a real or potential security vulnerability in any Airmeet-owned software or source code, then please report it to us as soon as possible. We would like to work with you to protect our customers and our systems in a better way.

We will acknowledge receipt of your vulnerability report as soon as possible. In case your vulnerability report is a ‘valid issue’ then we will strive to send you regular updates about our progress.

If you are curious about the status of your disclosure please feel free to text us on your vulnerability report chat section. If for some reason you do not receive a response within a reasonable time from us then please follow up on your vulnerability report chat.

Disclosure Process

Please always ensure to avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

Please only use exploits to the extent necessary to confirm the presence of any real or potential security vulnerability and do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.

Please do not report any security vulnerabilities through public channels or to any third parties without our prior written consent, instead, please report them to the Airmeet Responsible Disclosure program on BugBase.

We prefer all communications to be in English. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

Type of issue

• Remote Code Execution (RCE),
• Server-side request forgery (SSRF), SQL injection, cross-site scripting, etc.);
• Full paths of (source) file(s) related to the manifestation of the issue;
• When applicable, the location of the affected source code (tag/branch/commit or direct URL);
• Step-by-step instructions to reproduce the issue; Impact of the issue, including how an attacker might exploit the issue this information will help us triage your report more quickly.

Out of Scope

The following issues are considered out of scope:

Web

• Self-XSS that cannot be used to exploit other users
• Attacks requiring MITM or physical access to a user's device
• CORS misconfiguration on non-sensitive endpoints
• Missing security headers and cookie flags
• Missing Best practices, issues related to password policy
• Automated scanner-generated reports; (e.g. Nuclei, Zap, Burpscan Report, etc.)
• Tabnabbing and Clickjacking
• Issues related to email spoofing, SPF, DMARC or DKIM
• Content Spoofing / Text injection / IDN homograph issues without showing impact.
• Missing best practices in SSL/TLS/CAA configuration
• Disclosing API keys without proven impact.
• Banner grabbing / Version disclosure / Path Disclosure
• UserId / email enumeration
• Issues related to Exif data and XMLRPC
• HTTP Request smuggling without any proven impact
• Hyperlink injection or any link injection in emails we send
• Use of a known-vulnerable library without proven impact
• Mixed content type issues
• Any domain belonging to *.eu.airmeet.com, *.us.airmeet.com, and turn-servers (e.g turn01.airmeet.com) is out of scope.

Mobile

• Attacks requiring physical access to the victim's device
• The absence of certificate pinning
• API key leakage is used for insensitive activities/actions
• Lack of jailbreak & root detection

Rules of Engagement

Please DO NOT disclose the vulnerability until we have been able to correct it. See below for possible publication.

Do not exploit the vulnerability by unnecessarily copying, deleting, adapting, viewing data or downloading more data than is necessary to demonstrate the vulnerability.

Do not apply the following actions:

• Placing malware (virus, worm, Trojan horse, etc.);
• Copying, modifying, or deleting data in a system;
• Making changes to the system;
• Repeatedly accessing the system or sharing access with others;
• Using the so-called “brute force” of access to systems;
• Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
• Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
• Immediately erase all obtained/exfiltrated data as soon as it is reported.
• Do not perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
• Please do not submit a high volume of low-quality reports on security vulnerabilities.

Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with Airmeet. If, after the vulnerability has been removed, you may publish information about the vulnerability on social media platforms or in public or to any third party, only with our prior written approval by notifying us at least one month in advance. Hence, you can identify us in public or before any third party only after giving our explicit written approval.

If you have any questions, we encourage you to address them to the Airmeet Security Team at [email protected]. In case of doubt about the applicability of this Policy, please contact us first via the above-mentioned e-mail address, to ask for an explicit permission.

Airmeet reserves the right to change the content of this Policy from time to time or to terminate the Policy at any time.

Acknowledgements

We are not offering cash rewards for any vulnerabilities. If your submission is valid, we will send you Airmeet T-Shirt as a token of appreciation.