小萝莉影视

As a provider of technology solutions to schools, Amplify鈥檚 commitment to data privacy and security is essential to our organization. 小萝莉影视demonstrates that commitment in part through the physical, technical, and administrative safeguards we maintain to protect student data and other sensitive information entrusted to our care.

小萝莉影视looks forward to working with the security community to find security vulnerabilities and support our efforts to keep our data and systems safe and secure.

Before reporting a vulnerability, please read our program rules, eligibility overview, report submission rules and guidelines, legal terms, and out-of-scope list set out below.

General Rules

• We appreciate reports on any Amplify-owned asset, but only vulnerabilities that prove to be outside of expected behavior are eligible for acceptance.
• Reports involving third party services or providers not under Amplify鈥檚 control are out-of-scope for submission.
• 小萝莉影视places a high priority on privacy. Vulnerabilities in the areas of inadvertent exposure of our customers鈥� personally identifiable information (PII) are considered to be of Critical severity.
• We classify vulnerability severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and the ultimate decision over a reward – whether to give one and in what amount – is a decision that lies entirely within our discretion on a case-by-case basis.
• In order to receive an award for validated reports, you must have a HackerOne account. Please note reward decisions are subject to the discretion of Amplify. Please note these are general guidelines, and that reward decisions are subject to the discretion of Amplify.
• Only interact with test accounts that you created or that we provided. The use of any credentials outside of these areas for testing purposes is strictly prohibited.
• Do not contact Amplify鈥檚 customer support for questions or to submit a vulnerability report.
• 小萝莉影视may, in its sole discretion, disqualify you if you breach this policy or fail to comply with any of the program鈥檚 rules and terms.
• 小萝莉影视reserves the right to cancel or modify this program without notice at any time.

Eligibility

• You are not eligible for participation if you 1) are employed by 小萝莉影视or any of its affiliates 2) are an immediate family member of a person employed by 小萝莉影视or any of its affiliates or 3) left the employment of 小萝莉影视or its affiliates or subsidiaries within the past (12) months.
• You are not eligible for participation if you have been prohibited in writing from participating in the Bug Bounty Program by 小萝莉影视at any time.
• You may not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to conducting your tests.
• You may not compromise the privacy or safety of our customer and the operation of our services;
• You may not cause harm to Amplify, our customers, or others;
• You must follow the policy guidelines to responsibly disclose vulnerabilities to Amplify.

Vulnerability Submission Rules & Guidelines

• Any testing conducted on customer data or accounts is strictly prohibited and will result in removal from the program.
• If during the course of testing you encounter any sensitive data outside of your test accounts (including student or teacher names, login info, assessment data, activity data, and student work, etc.), please cease testing immediately and report what you have found. DO NOT include any text, screenshots, etc. with PII in the report. This action safeguards both potentially vulnerable data and yourself.
• Do not access, download, or share any data you encounter in your testing.
• Only interact with test accounts that you created or that we provided. The use of any credentials outside of these areas for testing purposes is strictly prohibited.
• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• In some cases, you may not have all of the context information to assess the impact of a vulnerability. If you鈥檙e unsure of the direct impact but are reasonably certain that you have identified a vulnerability, we encourage you to submit a detailed report and state the open questions on impact.
• When duplicate submissions for the same vulnerability occur, we only award the first report that was received, provided that it can be fully reproduced.
• Multiple reports describing the same vulnerability against multiple assets or endpoints must be submitted within a single report.
• Avoid destruction of data and interruption or degradation of our service.
• Proof of Concept (POC) videos that do not include PII are highly recommended to help verify the issue, provide clarity, and save time on triage.
• Please provide timely responses to any follow-up questions and requests for additional information.
• Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as to how the decision was made.
• Reports submitted using methods that violate policy rules will not be accepted and may result in account suspension from/denial of entrance to the program.
• Please refer to any noted out-of-scope areas listed under Out-of-Scope Vulnerabilities.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out-of scope. In addition, please refer to any noted Out of Scope areas listed under the program assets.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user鈥檚 device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• XSRF that requires the knowledge of a secret.
• Automated tools that could generate significant traffic and possibly impair the functioning of our services.
• Leaked credentials from third party providers, including invalid or stale employee credential dumps, and/or leaked personal information of 小萝莉影视staff.
• Vulnerabilities identified via third party services or providers where 小萝莉影视is not the owner.
• Issues that merely result in spam/annoyance without additional impact (e.g sending emails without sufficient rate limiting)
• Attempts to access our offices or data centers.
• Any activity that could contribute to the disruption of our service (DoS). Automated scanning tests should be kept to 10 requests per second or less.
• Self XSS.
• Broken links and/or crashes in general.
• Issues that require unlikely user interaction.
• Issues that do not affect the latest version of modern browsers
• Issues that require physical access to a victim鈥檚 computer/device.
• Disclosure of information that does not present a significant risk
• Please refer to any noted out-of-scope areas listed under program assets.

Legal

• Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (鈥淐onfidential Information鈥�) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.
• Researchers must follow HackerOne’s disclosure guidelines. Public disclosure or disclosure to other third parties without the explicit permission of 小萝莉影视is prohibited.
• We will not take legal action against you if vulnerabilities are found and responsibly reported in compliance with all of the terms and conditions outlined in this policy.
• 小萝莉影视reserves the right to modify the terms and conditions of this program without notice at any time, and your participation in the Program constitutes acceptance of all terms.