Natural Cycles Security Bug Bounty Policy

• Please send your findings to: security@naturalcycles.com
• Include as much detail as possible (steps to reproduce, potential impact, affected endpoints, logs, screenshots, or proof-of-concept code, suggestions to remedy the identified vulnerability etc).
• We reserve the right to change or cancel the program rules of the Natural Cycles Security Bug Bounty Program at any time.

You can expect the following once we receive your report:

• Provided you have given your consent, we are permitted to credit you by name as the reporter of a vulnerability.
• You will receive an acknowledgement of receipt within 10 business days of disclosing the issue. Natural Cycles will triage the report within 15 business days.
• Natural Cycles will investigate all reports and, to the extent required by law, will notify the competent supervisory authorities and affected users.
• Wherever possible, Natural Cycles will keep the reporting party informed of developments and the remedy for the vulnerability.
• In the event of a CVD publication, Natural Cycles will coordinate disclosure with all involved parties, to the extent possible or required by law.

The following assets are considered in-scope for this program:

•  *.naturalcycles.com (all subdomains owned and operated by Natural Cycles)
  • Subdomains pointing to third-party services (e.g. SaaS platforms) are in scope only for misconfigurations or vulnerabilities introduced by Natural Cycles, not for issues in the underlying third-party service.
• Naturalcycles Android and iOS apps

Reports in the following categories will not be eligible for rewards:

• Generic clickjacking attacks
• Issues related to DNSSEC configuration
• Issues that cannot be reasonably addressed by Natural Cycles (e.g., how Firebase handles cache purge requests)
• Vulnerabilities discovered by automatic scanners
• Reports without demonstrable security impact
• Reports of vulnerabilities that were discovered by non-compliance with the program rules
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Vulnerabilities that only work on software that no longer receive security updates

Reports that state that software is out of date/vulnerable without a proof-of-concept

• Eligible, valid findings may receive a monetary reward, determined by severity, impact, and quality of the report.
• Eligible Vulnerabilities must be a new, previously unreported, vulnerability or bug in order to be eligible for reward or recognition.
• Rewards are granted at our discretion and eligibility depends on adherence to the program rules and may not violate any law
• For the avoidance of doubt, you must not have been involved with the theft or exfiltration of data that is the subject of the report (including the solicitation of or coordination of others to conduct the theft or exfiltration of data)

• The following are strictly prohibited:
  • Attacks on Natural Cycles infrastructure or facilities
  • DOS attacks are not allowed
  • Installation of malware or viruses.
  • Brute force or Social Engineering attacks or phishing.
• Do not exploit a vulnerability beyond what is necessary to demonstrate it.
• Do not leverage a vulnerability to access, modify, delete, or exfiltrate user data
• or any personal and confidential data. Use only your own account(s) for testing.
  • The report must include an affirmation that you were not involved in any theft or exfiltration of data as a result of the vulnerability that is the subject of the report.
  • Natural Cycles maintains the position that any activity on its network that results in the theft of data, or damage to its systems, is unauthorized, including under the U.S. Computer Fraud and Abuse Act.
• Do not disrupt our services (e.g., through DDoS, brute force, or automated scanning).
• Do not request any payment as a condition to report the vulnerability.
• Do not discuss the vulnerability you have discovered with anyone other than us (the system owner) during the coordinated disclosure process.
• Once you have reported a vulnerability, do not repeatedly interact with the affected system during the coordinated disclosure process.
• Do not publicly disclose the identified vulnerability before we have investigated and remediated it.
• If you plan to disclose your findings publicly, please communicate your intentions to us.

We will not pursue legal action against researchers who:

• Act in good faith, without fraudulent intent or intention to harm and in accordance with the program rules.
• Report vulnerabilities promptly and privately
• Avoid privacy violations, service disruption, and data destruction
• Please be aware that participating in our bug bounty program may qualify as a criminal offence according to local laws for which we exclude any and all liability, to the extent permitted by law, and for which we cannot hold you harmless.