New Forwarding Company offers freight rail transportation services to big industrial customers and provides railcar leasing and auxiliary services. We aim to deliver the best experience to our clients and keep our partners and employees safe.
• We respect the time and efforts of our researchers.
• We will reply to you within 5 business days.
• We will aim to process the report within 15 business days after replying to your submission.
• If we need more time to process the report, we will let you know.
• We will define the reward amount within 15 business days of finishing triage.
• We will do our best to keep you informed about our progress throughout the report processing.
• Be an ethical hacker and respect the privacy of other users.
• Avoid actions that might result in privacy violations, destruction of data, or interruption or degradation of our services.
• When using automated security scanners, make sure they are making no more than 70 requests per second to a single host (including all concurrent streams and all scanners running simultaneously).
• Carefully read the program rules before proceeding with your research.
• npktrans.ru
• *.npktrans.ru
• Ability to perform an action unavailable via the user interface without identifiable security risks.
• Disclosure of non-sensitive information such as product versions, server file paths, stack traces, and so on.
• Possible DDoS attacks.
• Disclosure of private IP addresses or domains that resolve to private IP addresses.
• Reports generated by vulnerability scanners and other automated tools.
• Publicly available login panels.
• Clickjacking.
• Leakage of sensitive tokens (such as password reset tokens) to trusted third parties over a secure connection (HTTPS).
• Previously known vulnerable libraries without a working proof of concept (PoC).
• Improbable or hypothetical attacks without proof of their feasibility.
• Vulnerabilities that can only be exploited via browser versions released six or more months before the report submission or browser versions that are no longer supported.
• Self-XSS.
• XSS in unpopular browsers (such as IE) or browser versions released more than six months ago.
• Flash-based XSS.
• XSS that does not affect sensitive data.
• CORS misconfigurations.*
• DoS attacks.*
• Insecure SSL/TLS configuration.*
• Full path disclosure.
• Disclosure of technical or non-sensitive information* (for example, product or software versions and stack traces).
• Missing protection mechanisms or best practices without demonstration of real security impact for the user or system* (for example, lack of HTTP security headers, cookie security flags, or anti-CSRF tokens).
• Open redirect vulnerabilities that do not involve other attack vectors (for example, for authorization token theft).
• Page content spoofing.
• Tabnabbing.
• Vulnerabilities with overly sophisticated, unrealistic, or unlikely user interaction scenarios.
• Lack of best practices in DNS and mail server configuration (such as DKIM, DMARC, SPF, and TXT).
• Unlimited ability to send emails with no control over their contents.
• 0-day or 1-day vulnerabilities for which an official patch was released less than three weeks ago. (Such reports are considered on a case-by-case basis and may be awarded with a bounty at the discretion of New Forwarding Company's specialists.)
• Broken or outdated links to social media pages and similar resources.
*Without a detailed description of the attack vector and proof of the potential damage or harm.
A vulnerability report must contain the following:
• Vulnerability name.
• Product name and version of the vulnerable software (or component).
• Proof of concept (PoC) and detailed description of the discovered vulnerability as well as steps to reproduce it (screenshots, videos, code fragments, or request examples).
• Description of the attack scenario: who can exploit the vulnerability, in what circumstances, and so on.
• Recommendations for remediation.
Please submit a new report for each discovered vulnerability. If multiple security issues must be exploited to carry out an attack, you can describe them in a single report. In that case, present it clearly in the report and specify the number of discovered vulnerabilities and their class.
• Be an ethical hacker: adhere to the regulations and laws related to information security.
• Read the program rules before taking action: you must follow the terms described here.
• Test only the systems that are in scope of this program: testing other systems of New Forwarding Company is prohibited.
• Document your actions as clearly and thoroughly as possible: we need all the information you have to review the report properly.
• Respect the privacy of others: you can only share information about discovered security issues with the program's organizers.
• Work with our security team: provide additional information and your feedback after the vulnerabilities you discovered have been fixed.
• Respect our decisions: if you disagree with a decision made by our specialists, be polite and provide evidence of why you think the decision is wrong.
• Note that we reward researchers according to the program terms: the final decision on the bounty and its amount will be made by our security team.
If you use forbidden methods or tools for testing, we reserve the right to deny you a reward or disqualify you from the program. By violating the rules, you may not only lose the bounty that you could otherwise be eligible for, but also be permanently excluded from this and other programs of New Forwarding Company.
• Do not use social engineering methods, including phishing, vishing, smishing, and so on.
• Do not perform physical attacks on the company and its infrastructure.
• Do not use accounts that you do not own: hacking or accessing users' accounts without their permission is prohibited.
• When obtaining access to confidential information, do not copy, store, or transmit it: any copies created by you during testing must be deleted.
• Do not conduct post-exploitation activities after testing.
• Do not perform attacks that aim to take the system out of operation (such as DDoS attacks): to demonstrate the exploitation of a vulnerability, use basic commands.
When testing for security issues, please adhere to the following rules:
• Only use your own accounts.
• Do not compromise the confidentiality, integrity, and availability of data in our services.
• Do not perform actions that may harm the company, its infrastructure, clients, or partners.
• Use basic commands for the PoC or the minimum of evidence necessary to show the existence of the vulnerability.
• Contact us if you think that further testing may lead to the violation of these rules.
• Submit your reports only through the form on the platform.
• Do not publicly disclose information about the discovered vulnerability without the permission of our security team.
If you violate these rules, we will have to exclude you from this and other programs of New Forwarding Company and take measures according to the Criminal Code of the Russian Federation.
We reward external security researchers only for the discovery of previously unknown vulnerabilities, provided that all participation rules are complied with. Rewards are paid according to the information under the Reward for vulnerabilities section.
All reports are considered on a case-by-case basis with regard to the severity of the discovered vulnerability and the criticality of the affected system.
We reserve the right to make the final decision on the severity of the discovered vulnerability. After receiving the report, we conduct an internal investigation and determine the severity level based on multiple factors, including the following:
• Privileges required to conduct the attack.
• Difficulty of discovery and exploitation.
• Need for user interaction.
• Impact on the integrity, availability, and confidentiality of the affected data.
• Potential business and reputational risks.
• Number of affected users.
We only reward the first report on a specific vulnerability that we receive, provided that it contains all the data necessary to reproduce the vulnerability. Duplicated reports related to the same vulnerability will be marked as Duplicate. No rewards are provided for such reports.
Reports that describe similar attack vectors will also be marked as Duplicate if our security team decides that information from the original report is sufficient to fix all discovered exploitation vectors.
The original report may be authored by a researcher or the company's internal security team.