Responsible Vulnerability Disclosure

Modyo customers with a support contract can report the vulnerability directly through the Modyo Support Center, issuing a security incident.

Otherwise, send an email to security@modyo.com.

What we need from you

Detail the steps you followed that make the vulnerability exploitable including any URLs or code you used. The more information you provide, the faster we can reproduce and fix the problem.

Please don’t send PDF, DOC, or EXE files or reports generated by DAST products. We do accept images.

Focus areas

• Cross-site scripting (XSS)
• SQL injection (SQLi)
• Cross-site request forgery (CSRF)
• Remote code execution (RCE)
• Cookies not used for authentication or CSRF protection, not being marked as Secure or HTTPOnly
• Data breaches, such as data of private sites or unauthorized admin access to Modyo.

Program Scope

The domains that are part of the Responsible Disclosure program are the following:

• https://www.modyo.com/
• https://docs.modyo.com/
• https://es.modyo.com/

In the case of https://support.modyo.com/ it is an external tool that belongs to Zendesk, so we recommend referring your reports to its bug bounty program. bug bounty program.

Prohibited actions

Modyo prohibits users from downloading, modifying or accessing data from an account other than their own. The following actions are also prohibited:

• Executing or attempting to execute a denial of service attack
• Posting, transmitting, uploading, linking or saving any malicious software intentionally on or through the Modyo services
• Send or cause to be sent spam or other unsolicited messages to users
• Conduct testing in a manner that degrades the performance of our services
• Conduct testing in violation of applicable law or our terms of services

How Modyo rewards you?

It’s in our plans, but we don’t have a bug bounty program currently. Instead, if you accept it, we’ll put you in our Hall of Fame section of this guide under the name or nickname of your choice.

Public disclosure

You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.

Hall of Fame

Thank you all for having reported vulnerabilities privately!

• Kunal Mhaske (3)
• Sushmita Poudel (3)
• Girish B O (2)
• Heidar Zeinalli (2)
• Younghun Lee (1)
• Shrivallabh Walkade (1)
• Kullai Metikala (1)
• Phyo WaThone Win (1)
• Nikhil Rane (1)
• Samir Gondaliya (1)
• Jagadeeswaran B (1)
• Siddhi Kulkarni (1)
• Punam Shah (1)
• Veshraj Ghimire (1)
• Durvesh Kolhe (1)
• Prashant Ghule (1)
• Garv Kataria (1)
• Suraj Kumar (1)
• Tejas Pagare (1)
• Harish Harishwar (1)
• Sahaj Gautam (1)
• Vaidik Pandya (1)
• Muhammad Naseem (1)
• Sammam Qureshi (1)
• Amit Kumar (1)
• Suresh S (1)
• Shivam Dhingra (1)
• Prateek Shukla (1)