No technology is perfect, and Showmax believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
This version of the Security policy applies from 12 January 2021.
Disclosure Policy and Rules of Participation
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- You may only test against accounts you have created/Showmax has created for you, unless stated otherwise.
- You must not attempt to gain access to, or interact with, any accounts other than those created by you/Showmax has created for you, unless stated otherwise.
- We cannot whitelist IP addresses, nor allow VPN access.
- We are not releasing vouchers for test purposes, unless stated otherwise.
- Always include as much as details as reasonable. If reporting incorrect behaviour of API, always include relevant part of response (for example headers). When API is involved always include our tracing header
Showmax-Request-Id
. - Rules for reporting must be followed.
- This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists.
- Showmax reserves the right to modify the rules for this program or deem any submissions invalid at any time. Showmax may cancel the Bug Bounty program without notice at any time.
- You can participate on Showmax platform security testing from the user perspective. You can claim Showmax credentials via HackerOne, Showmax will setup geolocation exception for you and will release a voucher/access code for 7 days subscription that will be subject to further activation under the obligation to accept Showmax Terms and Condition and use Showmax Platform exclusively for the purpose of research and testing in the Fair Use regime. Showmax reserves the right to modify the rules for this program, deem any submissions invalid or cease voucher/access code validity at any time. Showmax may cancel the security testing from the user perspective without notice at any time.
Please use HackerOne platform. If you feel the email/report should be encrypted, please use our PGP key.
Thank you for helping keep Showmax and our users safe!
Eligibility
Scope of bug hunting project is limited to services directly provided by Showmax. Such as web, api, native applications. Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Showmax.
Eligible services/products:
- Showmax website - https://www.showmax.com and https://secure.showmax.com
- Showmax Android App - Available in Google Play store
- Showmax iOS Application - Available in iTunes store
- Showmax tvOS Application for AppleTV
- Showmax blog - https://stories.showmax.com
Out of scope: We don’t consider 3rd party services as eligible for this program (for example https://chat.showmax.com
which is hosted by 3rd party). We also consider other service domains (e.g. showmax.io
or showmax.cc
) out of scope by default. But if you think that you have discovered something important, please, report it. We may consider your report valid for bounty even for these domains, if we believe, that your report has a significant value.
Also be aware about API version and platform being part of the API url as /v{api_major_version}.{api_minor_version}/{platform}/
. For example there is probably very little value in reporting separate issues against api.showmax.com/v42.0/website/some_endpoint
and api.showmax.com/v42.2/website/some_endpoint
or api.showmax.com/v42.0/ios/some_endpoint
.
Vulnerability Categories We Encourage
We are primarily interested in hearing about the following vulnerability categories:
- Authentication related issues (e.g. authentication bypass for login to My Account)
- Authorisation related issues (e.g. authorisation bypass for asset playback)
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Data Exposure
- Redirection Attacks
- Remote Code Execution
- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
Out of Scope Vulnerability Categories
The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit and/or bounty.
- SSL vulnerabilities related to configuration or version
- Denial of Service (DoS). There is also rate-limiting functionality on our service, that will kick in after abusive amount of requests is made. There is not need for you to test it and it also has different thresholds for different urls (e.g. much lower for auth related endpoints).
- User enumeration
- Password policies/2FA (we not trying to build bank here)
- Brute forcing
- Secure flag not set on non-sensitive cookies
- HTTPOnly flag not set on non-sensitive cookies as some cookies needs to be readable by other parts of our platform (e.g. showmax_auth accessed by JavaScript application)
- Logout Cross Site Request Forgery (CSRF)
- Handling of CSRF token (it is tied to particular app session cookie)
- HTTP access control (CORS)
- Self-XSS
- Certain services passing
access_token
in params - Issues only present in old browsers/old plugins/end-of-life software browsers
- HTTP TRACE method enabled
- Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
- Clickjacking on pages without authentication and/or sensitive state changes
- Missing
Content-Security-Policy
(CSP) - Open ports for services on the servers (e.g. open
ssh
) - Reports related to password reset token handling, its immediate invalidation etc.
- Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
- Any physical attempts against Showmax property or data centers
- Social engineering (including phishing) of Showmax staff or contractors
- Spamming
- Email routing related issues, such as SPF, DKIM or DMARC configuration
- Bruteforce Amplification Attack via
https://stories.showmax.com/xmlrpc.php
- Copy-pasted CVE reports (we do monitor usual sources of security vulnerabilities)
- Parental PIN disclosure in API responses
- API rate limiting
Payouts (on HackerOne)
Our vulnerability-reward payouts will go up to 1,500 USD for the most impactful exploits. If we accept your report our minimum bounty is 100 USD for the main services/products, and 50 USD for Showmax blog and reports concerning out-of-scope services. We are able to provide bounties only via HackerOne platform.
Indemnification
Showmax will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.
Participating Security Researchers
Showmax would like to thank the following researchers for participating in our responsible disclosure program. They are listed in alphabetical order.
2022
Ali Kostak | @akostak24 | |
@clayxer | ||
() | @friendsmr | |
Moad Akhraz | @mdakh404 | |
sheshank shekhar pandey | @mithun_1999 | |
qualin bounty | @qualin | |
Rajesh Ranjan | @rajesh_ranjan | |
Tabitha Gathoni | @tech_queen | |
Un9nPlayer | @un9nplayer | |
Kamil Vavra | @vavkamil | |
xcheater | @xcheater |
2021
Anthonie | @1monkey51 | |
@5050thepiguy | ||
abdulsec | @abdulsec | |
abhiram | @abhiram | |
Ali Kostak | @akostak24 | |
Shrishty Dayal | @ano2304 | |
ayush kuamr | @ayushkumarsulrahulchiragkumary | |
845b78590f42fe113685dd1eca24bf50a70a26de3b24069bcf22c8ecfd7519491ec8285e76 | @b916e4400aed07ea93c4a8c | |
mhmd berro | @badcracker | |
batman | @batman47 | |
cheatcode | @cheatcode | |
Codermak | @codermak | |
cr00k | @cr0ok | |
Oday Alhalbe | @dexter34 | |
Dhafer THamer | @dh_f96 | |
doyy | @doy1337 | |
simone | @drak3hft7 | |
Alfie | @emenalf | |
Fariq Fadillah Gusti Insani | @fariqfgi | |
Fish3rman | @fish3rman | |
Bagas Fadillah Islamay | @gasfad01 | |
deepanshu369 | @golu_369 | |
haxor | @haxor31337 | |
Ibrahim Auwal | @ibrahimatix0x01 | |
@kaalratri | ||
Itumeleng Lesley Ditlhotlhole | @lesleybw | |
@lordjerry0x01 | ||
Moad Akhraz | @mdakh404 | |
Melar Dev | @melar_dev | |
Miguel Santareno | @miguel_santareno | |
-=Moonwalker=- | @moonwalker | |
Gal Nagli | @nagli | |
TengZheng | @rael | |
Serdar Uzunay | @serdar_uzunay | |
Sheikh Rishad | @sheikhrishad0 | |
sopan kah begitu? | @sopankbegitu | |
sujan shetty | @sujan_shetty | |
Ayush Oberoi | @ziel |
2020
Aulia Rakheen | @0x1_aulia | |
abhiram | @abhiram | |
Ahmad Halabi | @ahmd_halabi | |
willu | @bryax | |
"><marquee>"><marquee>"><marquee>"><marquee>"><marquee>"><marquee>"><marque | @bug2bgug_2 | |
shubham chaskar | @chaskarshubh | |
h0nda | @h0nde | |
Kaushikk | @kaushikkbadri | |
kenjoe41 | @kenjoe41 | |
@logicalh4x0r | ||
@lordjerry0x01 |
|
|
Maxteroit | @maxteroit | |
Mohsin Ali | @mohsin_ali | |
Nicollas | @nicklop2 | |
mr sanman | @nobody-cares | |
@rajkumar_321 | ||
@sfghkjljhgrefdghj | ||
Mrityunjoy | @sup3r-b0y | |
Mostafa samy | @tefa_ | |
Theo K | @theo01 | |
Eric | @todayisnew | |
Muhammad Billadilathof | @tofla | |
U-ITACHI | @u-itachi | |
zelzal | @zelzal | |
Lawrence | @zeop |
2019
Abhijeet Sarkar | @0xabhijeet | |
@aaaa4234234234234234 | ||
Ahmad Abdullahi Adamu | @ahmadbrainworks | |
Ajith Kumar | @ajithvinu | |
blackfox888 | @blackfox888 | |
Danang Tri Atmaja | @danangtriatmaja | |
Sahil Ahamad | @ehsahil | |
EN | @en_ | |
hudzaifah | @hudzaifah | |
@lordjerry0x01 | ||
Juho Myllys | @muon4 | |
Xynerva | @naufales | |
@securitybreaker | ||
stowaway | @stowaway | |
Eric | @todayisnew | |
@uptown | ||
Zamalek | @zamalek |
2018
Reda El Hachloufi | @666reda | |
@amanmahendra | ||
11e6bff0452dc6986773280e03e20c2e0cc0058caf8acfc05f60a5a790fb6276661540fd71 | @b8aeec26d071322ed0bf817 | |
ac073cb528cbc844e12ed97f3211a279832c715e75393c39a7020109c246e4d3a57c17cfd7 | @bc619033c2bc9865eccb277 | |
@black-shadow | ||
Andrea | @bocc | |
hi | @clean | |
Codarren Velvindron | @codarren | |
Suraj | @d_suraj89 | |
@dotx | ||
Travis Lee | @eelsivart | |
@gujjuboy10x00 | ||
Sergey Kashatov | @iframe | |
Professer | @insomniac | |
irmiaw | @irmiaw | |
Jack Burton | @jackb898 | |
@japz | ||
@karthic | ||
Kunal Pandey | @kunal94 | |
lacroute | @lacrouteserge | |
@lordjerry0x01 | ||
therealandrew3000@gmail.com | @m00se | |
Michał Muszalski | @mmuszalski | |
Monish | @monish | |
@mostafamamdoh | ||
Juho Myllys | @muon4 | |
Nightwatch Cybersecurity | @nightwatch-cybersecurity | |
Nikita Tikhomirov | @nstikhomirov | |
David Andrew | @nvikodv | |
oldhacker | @oldhacker | |
b Rizwan | @outhackthem | |
Kenneth A. Davis | @poesed86 | |
Pratik Bhoir | @pr4tik_9007 | |
Prafull Pansare | @prafull_pansare | |
REY MARK DIVINO | @r3y | |
vasateja | @rahulztej | |
rogov | @rogov | |
Security killer | @rootbd | |
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoIlhTUyIpPg==> | @sachin_kumar19 | |
Techtronic | @scotborg | |
Skadoosh | @shamrocksu88 | |
Shreyas Jadhav | @shreyas_hs | |
Suhas | @suhas_gaikwad | |
CongRong | @tr3jer | |
@uzkova | ||
Veena | @veena | |
Mohammed Israil | @villagelad | |
joël aviad ossi | @websecnl | |
Whitehat_Hacker | @whitehat_hacker | |
Aditya Dixit | @z0mb13 |
2017
Ciph3r00t | @0xciph3r00t | |
addd | @add12344441 | |
Three Ninner Alpha | @alpha66 | |
Harsh Jaiswal | @bugdiscloseguys | |
Dawid Czagan | @dawidczagan | |
Md. Nur A Alam Dipu | @depu1994 | |
Joe Black | @dn24 | |
Sahil Ahamad | @ehsahil | |
Yasser Gersy | @exception | |
Brian Carpenter | @geeknik | |
Gabe Pike | @gpike | |
Mahdi Al Hashemi | @hat_mast3r | |
Jigar Thakkar | @jigarthakkar39 | |
Mohammad Aman khan | @leet-boy | |
Luciano Corsalini | @lucio | |
Muhammad Abdullah | @mahitman | |
Mark Litchfield | @mlitchfield | |
Nightwatch Cybersecurity | @nightwatch-cybersecurity | |
Black Ashes | @nullelite | |
Paresh parmar | @paresh_parmar | |
Peter 🎩🎩🎩🎩 | @peter-676 | |
Sahil Saif | @sahilsaif |
|
Sergii Sizov | @sergiisizov | |
Mrityunjoy | @sup3r-b0y | |
Aworunse Matthew T | @temmyscript | |
Eric | @todayisnew | |
yappare | @yappare |