Responsible disclosure
As a financial services company, Azimo takes security very seriously. We are always interested in hearing from people who have tested our systems, and we offer financial rewards to those who manage to find certain kinds of vulnerability.
If you have found a security vulnerability in Azimo’s systems, please send an email in English to security(at)azimo.com with the subject line “BugBounty”.
Assets In Scope:
- azimo.com
- api.azimo.com
- latest version of mobile applications
Out of Scope
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
Assets:
- blog.azimo.com
- training.azimo.com
- Any other subdomains not related to production platform
Actions:
- Any physical attempts against Azimo Ltd. property or data centers
- Attacks requiring physical access to a user's device
- Click-jacking on static websites
- Content spoofing / text injection
- (Distributed) Denial of Service attacks, including Slow Loris
- Descriptive / verbose / unique error pages (without evidence of exploitability)
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
- Issues related to software or protocols not under Azimo Ltd. control
- Missing security headers which do not lead directly to a vulnerability
- Mixed content warnings
- Password and account recovery policies, such as reset link expiration or password complexity
- Password reset token leaked to 3rd parties (without evidence of exploitability)
- Reports from automated tools or scans
- TLS/SSL best practices
- User enumeration
- Vulnerabilities affecting users of outdated browsers or platforms
- Vulnerabilities on web properties not listed above as being in scope
Qualifying Vulnerabilities
Any eligible report that results in a change being made will be financially rewarded as part of our bug bounty program. However, we particularly welcome reports on any design or implementation issue that is reproducible and substantially affects the security of Azimo Ltd users. Common examples include:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Access / Auth control bypass
- Remote Code Execution (RCE)
- Leaking Personal Identifiable Information (PII) data through on-device storage or external endpoints
Please include the following information in your email:
Short description
A single-line description of what the vulnerability is.
Target
The domain/API in which you found the vulnerability.
Vulnerability details:
Describe the vulnerability in full and provide a proof of concept. Please enclose the following information, if applicable:
- URL / Location of vulnerability
- What the vulnerability is (from your point of view)
- What the security impact is (from your point of view)
- Replication steps
- Proof of concept
- Trace dump/HTTP request
Attachments
Please only provide attachments in PDF format. Please send sensitive data through https://paste.ec
Email:
Please provide us with an email address that we can use to contact you. Please contact us in English.
We will contact you with the details concerning the reward, if applicable.
Reward
If your submission is categorised as valuable by the security team, we will reward you in accordance with the issue’s severity. You will receive all the information by email within two weeks.