Instruction: This is an environment specific for hackerone. It has almost the same setup from the production environment, so any vulnerability found here, will probably be affecting both.
Get in touch if you need test credentials to login to explore the app.
Please do not report issues for our website www.qulture.rocks, only for the app on https://hackerone.qulture.rocks
# Login strategy
1. We do not block or limit login attempts with invalid emails;
2. For valid emails, if the password is incorrect, we activate recaptcha after 2 wrong attempts (only in production env);
3. In order to avoid DDoS, valid users are never blocked due to failed login attempts.
# Credentials
Require the credentials by creating a report with title "Credentials request" (severity: none). We'll reply asap :)
After we reply, you should close the report in seven days, otherwise, we'll close it as informative.
# TLS
We are already aware that the environment is not running with the latest TLS* version, and that should stay out of scope. Our production environment is using the latest version.
# Public links
We do have some public links which may be mistaken for vulnerabilities (e.g.:
https://hackerone.qulture.rocks/translations and https://hackerone.qulture.rocks/robots.txt).
# Out of scope items
The following items are out of scope:
1. No rate limit for authenticated api requests
# Contacting us
We kindly ask not to send us messages on emails that you may find on our website for issues related to this forum, and also not to send chat messages for credentials, prefer to send messages via hackerone platform.
