Driven Financial Technologies Corporation (“Driven”) encourages responsible disclosure from security researchers, partners, and end users to keep our customers safe. You are encouraged to email us at bugbounty@driven.ca to let us know of any suspected or confirmed vulnerabilities with Driven web properties.
Submission guidelines
- If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward (see “Rewards” section below). Please use the template outlined below directly into the body of the email.
- Do not attach video or audio files to submission emails.
- Submissions of raw tool outputs without additional analysis demonstrating impact are not eligible for reward.
- Submit one vulnerability per report, unless chaining vulnerabilities is needed to demonstrate impact.
- Please avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Scope
Out of scope
- Phishing
- Physical penetration testing
- Vulnerabilities that are not direct application dependencies, do not have direct user impact, and are the result of a third-party service (software libraries, frameworks, and server versions).
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login cross-site request forgery (CSRF)
- Attacks requiring man-in-the-middle or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept (PoC)
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Activities that could lead to a denial of service (DoS). For suspected DoS issues, send us a PoC for evaluation
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Report template
Title:
Contact information:
Description:
- Summary:
- Asset:
- Weakness:
- Broken access control
- Cryptographic failures
- Injection
- Misconfiguration
- Outdated components
- Integrity failures
- Logging and monitoring failures
- Server-side request forgery
- Memory Corruption
- Porous defenses
- Risky resource management
- Insecure interaction between components
- Other
- Severity:
- Informational
- Low
- Medium
- High
- Critical
- CVSS v3.1 Base Score (calculate here - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator):
- Attack Vector
- Network, Adjacent, Local, Physical
- Attack Complexity
- Privileges Required
- User Interaction
- Scope
- Confidentiality
- Integrity
- Availability
- Security impact (250 words):
- Steps to reproduce (we love screenshots!)
Supporting materials and references:
Disclosure policy
- Multiple vulnerabilities caused by one underlying issue will be awarded once.
- We only award the first fully reproducible report received for duplicate submissions
- Do not share information related to vulnerabilities identified, regardless of status, without written consent from Driven.
- Security tests or research that interferes with or disrupts the integrity or performance of our platform violates Driven’s acceptable use policy.
Driven will not pursue legal action against any reporter who complies with all of the guidelines for performing and reporting security evaluations, and also fully cooperates with Driven’s requests for assistance to reproduce a vulnerability.
Response to security reports
If your submission meets the scope and format outlined above, Driven will endeavour to meet the following timelines:
- Initial acknowledgement of report submission: 5 business days
- Time to triage (prioritize the reproduction and confirmation of finding) after acknowledgement: 15 business days
An automatic reply will follow to acknowledge the receipt of your submission. The security team will update researchers who provide valid submissions regularly throughout the process as soon as there are updates to share. Please refrain from asking for updates within the above timelines. Timelines to patch and issue monetary rewards from triage will vary based on the complexity of submission and business priorities. Driven may change the above commitments over time as needs and requirements change.
Rewards
Driven will award an Amazon Canada gift card as a reward for a successful report submission, as determined by Driven in its sole discretion. The amount on the gift card may range from $50 CAD to $200 CAD and will vary based on severity of the vulnerability/vulnerabilities. The reward must be accepted as awarded. It cannot be converted into cash, substituted, transferred to another person or refunded. The reward is subject to any terms and conditions from the gift card issuer.
Should Driven be unable to award the reward as described above, it reserves the right, at its sole discretion, to replace the reward with a reward of a similar nature and equivalent value.
Driven is not responsible for any associated costs incurred with claiming the reward, or any claims losses arising out of accepting or using the reward. You are solely responsible for the reporting and payment of any and all taxes, if any, that may result in claiming a reward.