At infinID, we are committed to maintaining the security of our platforms and protecting our users. We invite security researchers to help us
by identifying vulnerabilities and reporting them through our Bug Bounty Program.

Program Overview

The infinID Bug Bounty Program encourages ethical hackers to report security vulnerabilities that could affect infinID’s services. We offer
rewards for validated reports based on the severity and impact of the vulnerability.

Scope

The following platforms are within scope:

• infinID Web Application and API
• infinID Mobile Applications (iOS and Android)
• infinID Backend Services and Infrastructure.

Out of Scope:

• Attacks requiring physical access, social engineering, or phishing
• Denial of Service (DoS) attacks
• Issues related to third-party services or external libraries
• Vulnerabilities requiring root/jailbreak on mobile device

Reward Structure

Rewards are based on the severity of the reported vulnerability. infinID follows the CVSS (Common Vulnerability Scoring System) to
determine the impact level of each submission. Here is the reward breakdown:

The reward amounts may vary based on the actual impact of the vulnerability and how easily it can be exploited.

Vulnerability Types
We are interested in reports for the following types of vulnerabilities:

1. Remote Code Execution (RCE)
   Example: An attacker can execute arbitrary code on the server or client-side.
2. Privilege Escalation
   Example: Gaining access to administrative functions or higher-level privileges.
3. SQL Injection
   Example: An attacker can manipulate database queries via unsanitized inputs.
4. Authentication Bypass
   Example: An attacker can bypass authentication mechanisms to access restricted areas.
5. Cross-Site Scripting (XSS)
   Example: Malicious scripts are injected into a website viewed by other users.
6. Sensitive Data Exposure
   Example: Unintentional exposure of personal or financial information.
7. Insecure Direct Object References (IDOR)
   Example: Accessing unauthorized resources by manipulating object references.
8. Cross-Site Request Forgery (CSRF)
   Example: An attacker tricks a user into performing actions on behalf of the attacker.
9. Security Misconfigurations
   Example: Misconfigured security headers or improper permission settings.
10. Insecure API Endpoints
    Example: API endpoints exposing sensitive information or allowing unauthorized access.

Reporting Guidelines

• Please provide a clear, detailed report with step-by-step instructions to reproduce the vulnerability.
• Include screenshots, videos, or Proof of Concept (PoC) to support your findings.
• Indicate the potential security impact and suggested mitigations.

Responsible Disclosure Policy
We require all researchers to:

• Act in good faith and avoid harming user data or disrupting services.
• Allow a reasonable time for infinID to address the vulnerability before public disclosure.
• Follow the guidelines and avoid any malicious exploitation of discovered vulnerabilities.

How to Submit
Submit your findings via email at [email protected]. Ensure your report includes all necessary details for reproduction.

Legal
Participation in infinID’s Bug Bounty Program implies agreement with all applicable laws. infinID reserves the right to modify or cancel the
program at any time.