We are committed to protecting our customers’ information. If you believe you’ve identified a security vulnerability, we appreciate your help in disclosing it in a responsible manner, by notifying us by email at firstname.lastname@example.org.
Please take note of the following points:
Please describe the flaw(s) in sufficient detail, and state the ramifications of the exploits.
Please include reproducible proof-of-concept if applicable, such as code snippets, request URLs and attack payloads, screenshots, packet trace files or video capture that demonstrate the exploit. If handy, list reference materials at external sites if they might help us better understand the nature of the issue.
Please avoid reporting several types of vulnerabilities in the same email, as that may hinder us from aggregating similar vulnerability reports, and prevent us from quickly identifying critical vulnerabilities in due course. If you have multiple vulnerabilities to report, please send us an email for each type of vulnerability.
Please do not engage in testing that can impact our customers or lead to degradation of service, such as denial of service attacks, social engineering and spam.
You are not allowed to conduct penetration tests on the host level.
You may not harvest information associated with any account that is not yours. In case you accidentally bumped into such information, you should report such vulnerability to us and expunge all locally stored copies of third-party data.
Please keep your findings secret until we have confirmed and remediated the issues.
We may contact you to request for additional information if your report does not carry sufficient information for us to understand the context of the issues being reported.
We will get back to you between 1 business day to 1-3 weeks depending on the severity of the issue, and the quality of your report. Please do not bombard us with status-check inquiries.
Qualifying disclosures may make you eligible for our hall of fame, as described below.
Hall of Fame
If a severe vulnerability is discovered, we appreciate your contribution by acknowledging your efforts on our hall of fame subject to the following provisions:
If we receive multiple reports for the same vulnerability, only the first helpful report will be acknowledged.
GoAnimate reserves the right to pick the “first helpful report” by evaluating factors including but not limited to the time of receipt and completeness of the submission. The guiding principle pursuant to helpfulness is how useful the submission in its own right has helped us in identifying and remediating a specific qualifying vulnerability.
By submitting a vulnerability to us, you agree that the decision of whether an acknowledgment is to be provided remains the sole discretion of GoAnimate.
Similarly, GoAnimate reserves the right to reject any vulnerability report at our discretion.
Acknowledgments are currently listed on the security disclosure page. GoAnimate reserves the right to relocate the content to another URL as may be required in the future due to site restructuring or for any other reason.
No monetary compensation will be provided.
Please note that Clickjacking and CSRF vulnerabilities are only reviewed for sites and pages where the ease of exploit and risk to goanimate.com and goanimate4schools.com are significant.
The Security Disclosure Program is subject to change or cancellation by GoAnimate at any time, without notice. As such, GoAnimate may amend these terms at any time by posting a revised version on our website.
Known Issues and Special Items
Here are some of the frequently-reported items that we are either in the process of remediating or have decided not to address at this point. Reports regarding these items are not eligible for acknowledgement in the Hall of Fame:
- Session management issues related to goanimate.com and goanimate4schools.com, related to long-running sessions and vulnerabilities that require cookie replay.
- XMLRPC enabled on GoAnimate blogs.
- Potential XSS on GoAnimate blogs.
Please note that GoAnimate blogs are not in the scope of our responsible disclosure program. However, if a valid and critical vulnerability exists on GoAnimate's blog, we would like to know about it, and we are happy to acknowledge those submissions in the Hall of Fame as well.
The following lists examples of vulnerabilities that are eligible and ineligible, respectively, for consideration toward inclusion among the hall of fame. The lists are not exhaustive.
Examples of Qualifying Vulnerabilities
- Authentication bypass
- Cross site scripting
- Server-side code execution
- SQL Injection
- Privilege escalation
- Sensitive information exposure
Examples of Non-Qualifying Vulnerabilities
- Denial of Service
- Social Engineering
- Mixed-content scripts
- Insecure cookies
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Vulnerabilities specific to out of date browsers
- Web server banner disclosure
We want to thank the following individuals for reporting vulnerabilities responsibly to us. Thank you!
- Rodolfo Godalle (@rodgodalle)
- Koutrouss Naddara
- Osama Mahmood
- Thatipalli Abhishek
- Mihir Mistry
- Ch. Muhammad Osama (@ChMuhammadOsama)
- Arvind Singh Shekhawat (@EhArvindSingh)
- JAYVARDHAN SINGH (@Silent_Screamr)
- Saurabh Chandrakant Nemade (@SaurabhNemade)
- Anurag Giri
- mahipal singh rajpurohit (@rajgurumahi007)
- Sebastian Neef & Richard Kwasnicki
- Renatas Karpuška
- Muhammad Talha Khan (@M7K911)
- Kesav Viswanath Nimmagadda (@kesavnimmagadda)
- Kamil Sevi (@kamilsevi)
- ajay singh negi (@AjaySinghNegi)
- Nadi Abdellah
- Roy Jansen (@RoyJansen_01
- Jaidip Kotak (@JaidipKotak)
- Ahmed Y. Elmogy
- Ramin Farajpour Cami (@MF4rr3ll)
- Ahmed Jerbi
- Ayoub Ait Elmokhtar (@aessadek)
- Sandeep Sudhagani
- ABDULWAHAB Khan (@hackerwahab)
- Pal Patel
- RAVELA PRAMOD KUMAR (@PramodRavela)
- İsmail BÜLBÜL (Usgf.org.tr)
- Ismail Tasdelen