Responsible Vulnerability Disclosure Program

Data security is a top priority for Workera, and Workera believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Workera’s service, please notify us; we will work with you to resolve the issue promptly.

Disclosure Procedure

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@workera.ai. We will acknowledge your email within one week. Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within Ten business days of disclosure. Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Workera service. Please only interact with domains you own or for which you have explicit permission from the account holder.

Program Scope

Workera encourages the disclosure of any and all security vulnerabilities or concerns which would affect the services offered and would leave the services open to any potential security breach, including

  • Injection
  • XSS
  • Authorization flaws, misconfigurations

The aforementioned list is not exhaustive in any way or manner, and Workera reserves the right to modify this list, without any prior notification.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Any automated scanning activities
  • Spamming
  • Any submission made based on access which has been granted in accordance with any applicable contract, click-wrap or shrink-wrap agreement.
  • Social engineering or phishing of Workera employees or contractors

The following types of security vulnerability issues are specifically excluded:

  • Open redirects (through headers and parameters) / Lack of security speed bump when leaving the site.
  • Text injection.
  • Email spoofing (including SPF, DKIM, from spoofing, and visually similar, and related issues).
  • Clickjacking and issues only exploitable through clickjacking.
  • Lack of Secure and HTTP only cookie flags (critical systems may still be in scope).
  • Log in or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
  • Username / email enumeration by brute forcing / error messages (e.g. log in / signup / forgotten password).
  • Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
  • No Captcha or rate limit on Log in Page.
  • Denial of Service attacks.
  • Misconfigured DNS issues.
  • Vulnerable versions of third-party libraries (High severity vulnerabilities with a working Proof-of-Concept may still be accepted).

The aforementioned list is not exhaustive in any way or manner, and Workera reserves the right to modify this list, without any prior notification.

Disqualification from Program

Some examples of the activities which shall be treated as disqualification(s) for this program are listed below:

  • Breach of confidentiality obligations under the Program and under the law.
  • Attempt to extract or remove data from the services offered by Workera.
  • Any ransomware attempt while performing activities in scope under this Program.
  • Attempt to commercially exploit such vulnerability.
  • Attempt to hold Workera accountable under any laws due to activities performed in scope under this Program.

The aforementioned list is not exhaustive in any way or manner, and Workera reserves the right to modify this list, without any prior notification.

Legal Action

Workera reserves the right to take all necessary and remedial legal action against the submitter if it determines that the activities performed are in violation of applicable law, covered under the Disqualification(s) or Exclusion(s) listed or determined, and/or have forced Workera to face any legal consequences, which could have been avoided if a disclosure was made under this Program.

Bug Bounty

This is not a bug bounty program and Workera does not guarantee any monetary rewards for the submissions made.

Rewards, if any, will be awarded only at Workera’s sole discretion, for vulnerabilities which Workera, in its sole discretion, determines are substantial in nature.

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://workera.ai/security

Thank you for helping to keep Workera and our users safe!