IconIconIconIcon
CN
中文
Icon选择您的所在国家或地区Icon
Icon
AR
ArgentinaEspañol
BR
BrasilPortuguês
CO
ColombiaEspañol
CZ
ČeskoČeština
DK
DanmarkDansk
DE
DeutschlandDeutsch
EE
EestiEesti
GR
ΕλλάδαΕλληνικά
ES
EspañaEspañol
FR
FranceFrançais
HR
HrvatskaHrvatski
IN
IndiaEnglish
IN
भारतहिंदी
ID
IndonesiaBahasa Indo
IT
ItaliaItaliano
JP
JapanEnglish
LV
LatvijaLatviešu
LT
LietuvaLietuvių
HU
MagyarországMagyar
MY
MalaysiaEnglish
MX
MéxicoEspañol
NL
NederlandNederlands
NO
NorgeNorsk
PK
PakistanEnglish
PH
PhilippinesEnglish
PL
PolskaPolski
PT
PortugalPortuguês
RO
RomânăRomânia
SK
SlovenskoSlovenčina
FI
SuomiSuomi
SE
SverigeSvenska
TR
TürkiyeTürkçe
UA
УкраїнаУкраїнська
GB
United KingdomEnglish
US
United StatesEnglish
VN
Việt NamTiếng Việt
AE
الدول العربيةالعربية
IL
יִשְׂרָאֵלעברית
TH
ประเทศไทยไทย
KR
대한민국한국어
CN
中国中文
WordPressIcon
Icon
自托管 WordPress包含高级内置功能和AI工具。
Icon
自托管 WooCommerce启动并扩展你的电子商务网站。
建站助手Icon
Icon
Hostinger网页制作器使用 AI 在几分钟内创建网站。
Icon
eCommerce Website BuilderAll the tools you need to build an online store.
主机产品Icon
Icon
共享虚拟主机适用于中小型网站
Icon
Hostinger云托管适用于大型项目
Icon
VPS主机专用资源用于规模化
Icon
Hostinger电子邮件主机全方位提升您的业务性能
Pro
域名
登入

Hostinger 责任披露政策和错误奖励计划

请仔细阅读本协议,因为它包含有关您的合法权利和补救措施的重要信息。

服务条款
注册商信息
隐私政策

协议

域名注册协议
域名转让协议
托管协议
推荐计划协议
数据处理附录
注册人协议变更
联盟计划协议

政策

Cookie 政策
Hostinger 责任披露政策和错误奖励计划
TLD 注册管理机构政策
品牌指南和权限
商标/版权
域名争议解决
滥用处理政策
过期注册恢复政策
退款政策

公司政策

第三方行为准则

法律协议和政策的英文版本被视为本文件当前唯一有效的版本。提供任何翻译版本只是为了方便您阅读和理解英文版本。任何翻译版本都不具有法律约束力,并且不能替代英文版本。如有分歧或冲突,以英语法律协议和政策为准。

Icon
服务条款注册商信息隐私政策协议域名注册协议域名转让协议托管协议推荐计划协议数据处理附录注册人协议变更联盟计划协议政策Cookie 政策Hostinger 责任披露政策和错误奖励计划TLD 注册管理机构政策品牌指南和权限商标/版权域名争议解决滥用处理政策过期注册恢复政策退款政策公司政策第三方行为准则
服务条款注册商信息隐私政策协议域名注册协议域名转让协议托管协议推荐计划协议数据处理附录注册人协议变更联盟计划协议政策Cookie 政策Hostinger 责任披露政策和错误奖励计划TLD 注册管理机构政策品牌指南和权限商标/版权域名争议解决滥用处理政策过期注册恢复政策退款政策公司政策第三方行为准则

最后修订: 2024-08-27 14:56:37

RESPONSIBLE DISCLOSURE POLICY

Hostinger encourages the responsible disclosure of security vulnerabilities in our services or on our website. In order to facilitate the responsible disclosure of security vulnerabilities, we agree that if, in our sole discretion, we conclude that a disclosure meets all of the guidelines of the Hostinger Bug Bounty Reward Program, Hostinger will not bring any private or criminal legal action against the disclosing party.

BUG BOUNTY REWARD PROGRAM POLICY AND TERMS

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep Hostinger and our customers secure. If you discover a site’s or product’s vulnerability please notify us using the guidelines below.

PROGRAM TERMS

Please note that your participation in the Bug Bounty Reward Program (“Bug Bounty Program”) is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to Hostinger you acknowledge that you have read and agreed to these Program Terms.

These Program Terms supplement the Terms of Service and Privacy Policy and any other agreement in which you have entered with Hostinger. The terms of those Hostinger agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the Terms of Service, Privacy Policy and these Program Terms, these Program Terms will prevail, but only with regard to the Bug Bounty Program.

To encourage responsible disclosures, Hostinger commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms, Privacy Policy and Terms of Service, Hostinger will not bring a private action against you or refer a matter for public inquiry.

As part of your research, you shall  not modify any files or data, including permissions, and shall not intentionally view or access any data beyond what is needed to prove the vulnerability.

Hostinger will make a best effort to adhere to the following response targets:

Type of ResponseBusiness days
First Response2 working days
Time to Triage5 working days
Time to Bounty14 working days
Time to Resolutiondepends on severity and complexity

TESTING CREDENTIALS

In order to avoid abuse of shared credentials for testing they will not be provided. Bug Bounty Program participants will need to register a new account and order a single shared hosting plan by themselves. We will provide discount coupons for our Bug Bounty Program participants which will cover all expenses of a single shared hosting plan for one month. Participants interested in testing Hostinger web applications should reach out to the security team at security@hostinger.com asking to claim a free discount coupon. Please don't forget to include your Hackerone profile name, email used for Hostinger account registration and short notice that you're participating in a Bug Bounty Program through Hackerone and we will send you a coupon code which will cover all expenses of a single shared hosting plan for one month.

THE FOLLOWING HOSTINGER DOMAINS IN SCOPE:

  • www.hostinger.com
  • hpanel.hostinger.com
  • cpanel.hostinger.com
  • payments.hostinger.com
  • builder.hostinger.com
  • www.niagahoster.co.id

Domains not listed above are not in scope.

NEW HOSTING INFRASTRUCTURE - H5G

We are introducing a new testing scope for our Hosting Infrastructure tailored for WordPress websites. This infrastructure is in its testing phase, and we invite researchers to help us identify potential vulnerabilities.

To participate in testing our Hosting Infrastructure, please send an email to security@hostinger.com with the subject line "H5G Infrastructure Testing Request". In your email, please include the email address you used to register for the Hpanel.
NOTE: The access manager feature is not implemented in H5G. For this reason, all issues related to it are classified as NON-QUALIFYING VULNERABILITIES.

Since our H5G infrastructure is currently in the testing stage, the reward amounts are smaller compared to our other scopes.

ELIGIBILITY REQUIREMENTS

To be eligible for the Bug Bounty Program, you must not:

  • Be in violation of any national, state, or local law or regulation;
  • Be employed by Hostinger or its affiliates;
  • Be an immediate family member of a person employed by Hostinger or its affiliates; or
  • Be less than 16 years of age. If you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the Bug Bounty Program.

If Hostinger discovers that you meet any of the criteria above, Hostinger will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.

DISCLOSURE GUIDELINES

By providing a submission through HackerOne or agreeing to the Program Terms, you agree that you shall not publicly disclose your findings or the contents of your Submission to any third parties in any way without Hostinger's prior written approval.

Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.

QUALIFYING VULNERABILITIES:

Hostinger will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible Hostinger service. Eligible vulnerabilities include, but are not limited to:

  • Authentication or authorization flaws, including insecure direct object references and authentication bypass
  • Server-side or remote code execution (RCE)
  • Injection vulnerabilities, including SQL and XML injection
  • Directory Traversal
  • Privilege Escalation
  • Disclosure of sensitive or personally identifiable information
  • Significant security misconfiguration with a verifiable vulnerability
  • Exposed system credentials, disclosed by Hostinger or its employees, that pose a valid risk to an in scope asset

NON-QUALIFYING VULNERABILITIES:

Any domain not listed in policy scope is out of scope for the purposes of the Bug Bounty Program, as is all hosted customer content and third-party programs and plug-ins.

The following actions do not qualify for the Bug Bounty Program and should not be tested by researchers participating in the Bug Bounty Program:

  • Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account
  • Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
  • Scanner output or scanner-generated reports, including any automated or active exploit tool
  • Man-in-the-Middle attacks
  • Any physical attacks against Hostinger property or data centers
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Click-jacking
  • Vulnerabilities involving stolen credentials or physical access to a device
  • Phishing attacks
  • Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
  • Open redirection, except in the following circumstances: 
    • Clicking a Hostinger-owned URL immediately results in an unexpected redirection and loss of sensitive data (e.g. session tokens, PII, etc)
  • CRIME/BEAST attacks
  • Logout CSRF
  • Banner or version disclosures
  • Missing SPF records
  • Directory listing (unless sensitive data can be found)
  • DoS, brute force, user enumeration or DDoS attacks
  • Blackhat SEO techniques
  • Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
  • Any bug that relies upon an outdated browser
  •  Infrastructure vulnerabilities, including:
    • Issues related to SSL certificates
    •  DNS configuration issues
    •  Server configuration issues (e.g. open ports, TLS versions, etc.)
  •  Bugs requiring exceedingly unlikely user interaction.
  •  Insecure password complexity requirements
  • Email verification/validation issues
  • Quality and business logic bugs which do not pose real risk and do not impact business and customers in a way which could lead to unauthorised access to data or systems, also when there is no possibility to take advantage of the bug to cause some sort of damage to company systems or data.
  • Vulnerabilities on individual clients infrastructure or virtual private servers (VPS), including websites, databases, etc.
  • Hacking discount coupons
  • Broken links 

BUG SUBMISSIONS REQUIREMENTS

For all submissions, please include following information:

  • Full description of the vulnerability being reported, including the exploitability and impact
  • Evidence and explanation of all steps required to reproduce the submission, which may include:
  • Videos or Step by step screenshots 
  • Exploit code
  • Traffic logs
  • Web/API requests and responses
  • Email address or user ID of any test accounts
  • IP address used during testing
  • For RCE submissions, see below

Failure to include any of the above items may delay or jeopardize the Bounty Payment

REMOTE CODE EXECUTION (RCE) SUBMISSIONS GUIDELINES:

Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment:

  • Source IP address
  • Timestamp, including time zone
  • Full server request and responses
  • Filenames of any uploaded files, which must include “bugbounty” and the timestamp
  • Callback IP and port, if applicable
  • Any data that was accessed, either deliberately or inadvertently

Allowed Actions:

  • Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
  • Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

  • Uploading files that allow arbitrary commands (i.e. a webshell)
  • Modifying any files or data, including permissions
  • Deleting any files or data
  • Interrupting normal operations (e.g. triggering a reboot)
  • Creating and maintaining a persistent connection to the server
  • Intentionally viewing any files or data beyond what is needed to prove the vulnerability
  • Failing to disclose any actions taken or applicable required information

BOUNTY PAYMENTS

You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by Hostinger's security team at their sole discretion; and (iii) you have complied with all Program Terms.

Bounty Payments, if any, will be determined by Hostinger, in Hostinger sole discretion. In no event shall Hostinger be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.

All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

Hostinger will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $100USD and the maximum bounty for a validated bug submission is $25000USD.

Hostinger security team  retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Hostinger Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to Hostinger customers, Hostinger brand and determined to be a valid security issue by Hostinger's security team.

Retesting. Please note that we reserve the right to request or decline retesting of reported issues at our discretion, based on our internal assessment and priorities. Our decision will take into account factors such as the severity of the issue, the quality of the initial report, and our current resource availability. To recognize the additional effort involved in retesting, we offer retest bounties as follows: (i) Low and Medium Severity Issues: $50 USD; (ii) High and Critical-Severity Issues: $100 USD.

OWNERSHIP OF SUBMISSIONS

As a condition of participation in the Bug Bounty Program, you hereby grant Hostinger, its  and affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Hostinger in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Hostinger. In no event shall Hostinger be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Hostinger complies with the terms of participation stated herein.

TERMINATION

In the event (i) you breach any of these Program Terms or the Terms of Service of the Hostinger; or (ii) Hostinger determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Hostinger (including, but not limited to, presenting any threat to Hostinger's systems, security, finances and/or reputation) Hostinger may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please follow these Program Terms. 

CONFIDENTIALITY

Any information you receive or collect about Hostinger, Hostinger employees or any Hostinger customer through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You shall not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Hostinger sites, without Hostinger's prior written consent. Any disclosure of Confidential Information outside of this requirement will result in immediate removal from the Bug Bounty Program.

INDEMNIFICATION

In addition to any indemnification obligations you may have under the Terms of Service, you agree to defend, indemnify and hold Hostinger, its affiliates and the officers, directors, agents, employees and suppliers of Hostinger, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

CHANGES TO PROGRAM TERMS

The Bug Bounty Program, including its policies, is subject to change or cancellation by Hostinger at any time, without notice. As such, Hostinger may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Hostinger posts any such changes, you accept the Program Terms, as modified.

 

Submit
主机产品网站托管WordPress托管VPS托管商业电子邮件Hostinger云托管WooCommerce 托管代理机构托管服务Google WorkspacePalworld 托管
域名域名搜索低价域名免费域名WHOIS免费SSL证书域名转移域名扩展
工具建站助手电子商务建站助手AI 徽标生成器迁移到 Hostinger
信息定价评测推广联盟路线图(英文)荣誉墙系统状态站点地图
公司关于Hostinger我们的技术博客
支持教程知识库联系我们举报滥用/违法信息
IconIconIconIconIcon
IconIconIconIcon
隐私权政策退款政策使用条款
visa
mastercard
amex
discover
jcb
maestro
dinersclub
还有更多

© 2004-2024 hostinger.com.hk - Premium 虚拟主机、云托管、VPS 和域名注册服务。

所列价格均未包含税费.

我们关心您的隐私

本网站使用 Cookie,这是网站正常运行、获取有关你如何与网站互动的数据以及用于营销目的所必需的。一旦接受,即表示你同意我们在广告和分析中使用 cookies。 Cookie政策.