HYPR Vulnerability Disclosure
We have one mission and that is to create a passwordless world. For us, security isn’t just about keeping the bad guys out. It’s about protecting people in everything they do, wherever they are.
HYPR founders realized passwords will continue to be the hackers’ favorite target unless something is done about it. They saw it as an opportunity to approach security in a brand new way. What if our everyday smartphone can be used to change the security and user experience landscape? That became the launching pad for HYPR.
Our global team comes from software, information security, and digital identity backgrounds to deliver security that’s meant for everyone. United by the common mission to create a passwordless world, we maintain a work ethic that prioritizes our customer’s success and growth.
HYPR looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Rules of Engagement
HYPR asks researchers to willingly #hackthis. Nothing is off limits and for the benefit of all customers, we encourage every possible attempt to circumvent security.
At the same time, should your efforts lead to a discovered vulnerability, we kindly ask that you limit your access and exposure to customer data to only the information needed to report the finding to HYPR and to indicate the severity of the issue:
If you are keen to exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing processes – please reach out with your request and an environment can be cloned to mimic production use.
- HYPR does not support security response reports which focus on phishing, spam, social engineering, or otherwise defrauded social schemes impacting customers or HYPR employees for access.
- HYPR does not encourage security testing of local and physical premises. Do not attempt to socially engineer employee office access and similar constructs.
- HYPR is interested in denial of services (DoS) or distributed denial of service (DDoS) attacks against HYPR resources to prove stability. At the same time, HYPR requests that you reach out and we may clone an environment in which you can test against. Please also provide your experienced and well-intentioned interest in this.
If you are not sure about whether your testing approach is covered or any other questions, please reach out to email@example.com to coordinate and collaborate with us.
Out of Scope Vulnerabilities
HYPR receives security and bug reports of various types, however certain reports are not currently of interest to the company or viewed as a material risk. The following list is a sample of the types of reports which may qualify under this view. HYPR will seek to reply back and confirm that we are not taking action or that it is under further review if warranted. We appreciate you reviewing this list before submitting your report.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Previously known vulnerabilities already in the roadmap for getting fixed.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user’s device.
- User enumeration of any kind.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Open redirect – unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction
How to Report Security Issues to HYPR
HYPR uses HackerOne for triage, reporting, and payment. This ensures a smooth process for you and enables you to maintain your confidentiality while ensuring HYPR is properly assessed for any taxes and business expenses.
Your first step to be invited to HYPR’s HackerOne page is to send an email with the potential product or service security issue to firstname.lastname@example.org. This goes directly to our Security Incident Response Team.
We welcome you to encrypt communications to us through the use of our GPG key and we will reciprocate if we deem the contents critical to require confidentiality and protection.
—–BEGIN PGP PUBLIC KEY BLOCK—–
mQINBGAmvygBEAChbSZdam41xdhqpSxDwGWpL9bWR2b1qkHt3Ilno146Udj9GKyS JGdKwdAtDUcPKE8B7fRzn14EG3uBmnCfCxKT3V7qD9K1bKY9F67JWZ3M8cfLHpb7 kvEraXZTF6qLHmvrgKkdWqjD/f8jl3pdbilJlO5Gpa0XfGrQas8QZuK/+Th6ZNkR s9invYK57TRsbcTWHd3WTZAas52rcisXNCiR5Ti8xVdNt8BAuIBhvQhYPZQeL3NT IsdfYr0ShBWiccuj/wSjpg9F0u1+O/7Hu1hGcYXxwvQ6XurBgJasMPC3lcQoIyeg 6/6bLVEkfIZp8X2UbnMw7sHNJetsKu4eaRYk9Wki3cjnv0r1CbQaVjYZ/DEfv9UP 1nbtvAahvASaHZFleaZTzoEYdBmdUijpR8cuCLYx5RH5uVmAR4/YQU9dS6uWRWz3 njjH2kvd3TzrnenExZ8ieY/mbIFV7tzXPI+1pScnBmcgqd9gRiju4mNFJp/nhZRL hWFZxT3B6MHOHy+DLl2vIpMii78JtNwiGVERegIiRRwR7d8LTcFCkQjCYhmXVzCX p6jnZR5oi/yzP7/4CUgm1N+S7PMuO5yN+IXQubjj6mQpxCRZQKL+rSr02eUp9gPe 0qP6MiuZqVNRiXA6rcsZ/+syzr9F1SDKBHUhF9F5pI51Ho65b+o46X4mHQARAQAB tCFIWVBSIFNlY3VyaXR5IDxzZWN1cml0eUBoeXByLmNvbT6JAlQEEwEIAD4WIQSV BFxL6lUBXEC4MCkloQwSXKsU4gUCYCa/KAIbAwUJB4YfgAULCQgHAgYVCgkICwIE FgIDAQIeAQIXgAAKCRAloQwSXKsU4vxtD/0f9vtlL6UhLUYcyFO3NcRy8PiKQzl6 YyCWhIZfwdDcG3F4I6HRWlRYVanvbT5RhjEPk7zVoCAjewGT7fXnoGXjr+cfgkxo Be6MN+lHYg48OJS+wiVq/lde+DNeyd0hFPyGxOyaCE0aPlSVBoozi/ofCktkqmfd VHtEf0oJislCazWW/+qJsCghMB0mtM7qGRprFfZe9VlNj06v2Y/AA2NnDQwy12yD JecInNW3/qjFFeBDlJvblu5UyEVbXP+fgOIXyvutaixk38Jgp+4WzbVOLEP/xTMZ Aw1KiG/WJtkmfmAVGnQhiqAdoIxtuUnuWK1Uw6ki9P4Xq2nsoCkctJ8umAgMqPG/ onTWX6z1BTt8NyJHEzE8eQMM65MH/zOW4rwkdcC+dWDHNLIOhxKPXOOowhInu5En nB+sANP6HE9S+9Q+dzREgzBesnnSeazSWlkmwfhryZFtt00p3RhO8JpVKk8L6R8z U+vjCwjBhxem4luok2TyM0n6XTeoAWEcDnUi1ZU2P5gKPQlgzRv9E7IuBG4yt4r4 i5UM35N31l0xIUi+rAX+g7uU7DGl+AoBKwjowDO+6g9/rn8h8weIfqkW95YdpEJe Awo3H4yWDnmxIlorHtErCzJX3VmNfwGN5mafGhVQKo7vbKyRs171Vt/J+/5+ZJaN EXo3/2eEIFFd9bkCDQRgJr8oARAAwAJdo29/+sUgXVL06ire5osaw2LyxMYS/iNX OJUA0sYNIw1FIndv2Mva6Xuo1Kw/JEvLdpXbyW5N3D4AheX1fvbfAZgqarogV8Yp akQfhWGNp0jp/EQ5Rbnm5HHWYtsC1ZauCqCn0E6mYzk78UHVrawhvRu1y7kd+O7d Ef9PyuMRpR2eeMLpTSvUreDW249SXkEf0ulj94oBV/RHKAHB/9mDOLeq2YHNbvqR eAOMqGgREE1+ob//osbkstl1/huNmp1I5doPHw2EsBV3RW5Zub2ixKWD3O8g9EGK iw4vgos1LLXUAyHCgGSgcnfCrIRW0+NFhmsNfAQC2QiuhTTkb4vJVyt2x/QBF707 dRV40L1fZZ3iJUcEvp3RPRFT7XfB8ePTFQ+5mBpfHXDuKCiRODwYZOVZo8pB0J0A 0RN4749dv4/JVYRoXkWnhWbbcHHp9yeDTx+5ibFEX5SvEEMyR8IDhBuiBHUTGoTu rvf03YKGxbEsAjdeURtSUiLzXbDpvNcbjCoBrcTck0rd1XTOUbZAA4ZwfkKmMbcE uMTNq6083swF/VISbCz/BrD80Z+WLiymK1hCXc8HWiGc0AnRgKCLWONg6Pe1WWbx FS/TR19/iyPwdhjcP3UEfCOkIC9FOETqBwwuvbP1sJLgKYHlCdEvUybBb5qX7Wwj H0MS618AEQEAAYkCPAQYAQgAJhYhBJUEXEvqVQFcQLgwKSWhDBJcqxTiBQJgJr8o AhsMBQkHhh+AAAoJECWhDBJcqxTiY5QP/0OFFmi4PjFtGBSSEK3pqG1cF0V91J6y Wj1SZmBCzDjGRN3v7jSdfFg2+qI0REJlRSdSluXHPXv0bVghjwaIMEnizx/nFUjq EEdsEJa10msFPhaeoYO8nlm63VMq7Ungk3vsQ/UwFxuyAEyi6GwD8P84M4Q++/oY 0v7TJz0j6T7WZfhvt3LRIFSlqupZgik31gHPpLdyZ7GuFxB+Ek32jMHN59QxFbYq lxougq5CqPdRfn3s/8zjDkt+Yl9UkB1R8CORCkWonxVWMcWbdKi22VNw0xMw8lee 39Ii9aKsQUoRTijx4viwV3tOrECccHDMmiZ2VKfpIY6TOt3bDsXEQ17VouBZ6GkI 4vDzxLOe+tbq0y6BEk1xjC/jADlyM9URuCcjxSIhAZwLx2H77tC8HaCljE11cG6g zza/TD3UEsb2i36fBZRKF32F7pHQPVfn+gpuUZ6cyejI1JoMBLvMF25Nn2JOOtmY adoW6cHhnq3H1z/X0CGqSDdZy8+ljjsDsLuAi+OzyPaDKgjl8BhnRaOV42I4a0Me /SNjucLSl7JW9ofT46/h8IRZZ6cQEtM9pLlHb2DcvgqIeNW1nCzKwITKfSzsM3Lq +XTx0TPvNKWlzc1waWYRjAXeTyejFLXYfYSvmd9yxN9aEoQuQ7QGZWCSgHGYJhW2 bcsUFYzLXFY1 =DLK3
—–END PGP PUBLIC KEY BLOCK—–
What You Should Include in Your Report
[add summary of the vulnerability, perceived impact and information access. To the extent this vulnerability inadvertently granted access to production environments, please let us know so we may assess our reporting obligations]
## Steps To Reproduce:
[add details for how we can reproduce the issue]
## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]
* [attachment / reference]
## Ancillary Information:
- Provide Date/time and applicable URLs if not already in logs.
- For web reports – your browser and version
- For workstation client or mobile app – your OS and version
- If you have a HYPR version or HYPR configuration, please include that as well
How HYPR Will Respond
HYPR will provide an initial acknowledgement of your security report within 24 hours under normal circumstances once our security team completes the initial triage process. We may follow up with additional questions and will keep the security researcher actively engaged during the triage and remediation process.
Depending on the severity of and priority of the vulnerability it may take several days or longer to remediate and resolve. During the entire process, the security team will be transparent on the pace and current remediation efforts that are underway. We will not guarantee a timeline due to the wide variety of factors that go into the remediation process but will commit to frequent updates to you.