Security is a critical concern for every company, and Safaricom, just like many other companies takes all reports of security vulnerabilities seriously. If you believe that you have identified a security issue with any of Safaricom’s products or services, the company encourages you to report the issue as soon as possible. In this article, we will explain the process for reporting security vulnerabilities to Safaricom and what you can expect.
Why Report Security Vulnerabilities to Safaricom
Safaricom is committed to ensuring the security of its products and services. By reporting any security vulnerabilities you discover, you can help Safaricom maintain the highest level of security for its customers. Additionally, if your report is valid and impactful, you may be invited to join the private Bug Bounty Program on HackerOne.
How to Report a Security Vulnerability
To report a security vulnerability to Safaricom, you should send an email to [email protected]. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Safaricom’s Bug Bounty Program has specific rules that must be followed when reporting security vulnerabilities. These rules include:
Submit One Vulnerability per Report
Unless you need to chain vulnerabilities to provide impact, you should only submit one vulnerability per report.
Reports should include detailed information on the vulnerability and reproducible steps to help Safaricom investigate and fix the issue.
First Report Only
When duplicates occur, only the first report that was received and can be fully reproduced will be awarded.
One Bounty for Multiple Vulnerabilities
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited. Additionally, any tests that violate privacy, destroy data, or cause service interruption or degradation are not eligible for a bounty reward. You may only interact with accounts you own or have explicit permission to use.
Not all vulnerabilities are eligible for a bounty reward. Out-of-scope vulnerabilities include denial of service attacks, clickjacking/UI redressing attacks on pages with no sensitive actions, unauthenticated/logout/login CSRF, and attacks requiring MITM or physical access to a user’s device.
Other out of scope vulnerabilities include previously known vulnerable libraries without a working Proof of Concept, comma-separated values (CSV) injection without demonstrating a vulnerability, missing best practices in SSL/TLS configuration, content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS, issues in third-party services/platforms that are beyond our control, vulnerabilities as reported by automated tools without additional analysis as to how they are an issue, all brute-force attacks, self-XSS and XSS that affects only outdated browsers, host header and banner grabbing issues, missing HTTP security headers and cookie flags on insensitive cookies, open redirects – unless they can be used for actively stealing tokens, user enumeration such as User email, User ID etc., phishing/spam (including issues related to SPF/DKIM/DMARC), missing security best practices (e.g. account lockout, captcha), session fixation and session timeout, and any bugs or issues related to third parties or vendors such as Cisco, Oracle, Microsoft, etc.