Security and data protection has the highest priority at Moshbit, the creators of Studo. We are continuously working to provide secure products.
We follow international standards as defined by leading tech companies and security communities. However, no technology is perfect, and Moshbit believes that working with skilled security researchers is crucial in identifying weaknesses in any technology. If you find a security bug in the scope of our security program, we would really appreciate it if you would report this to us. This way, we can further improve the security and reliability of Studo and other products of Moshbit.
Security Vulnerability Reporting Policy
If you believe you have found a security vulnerability in Studo, we encourage you to let us know right away. Report via mail in English or German to firstname.lastname@example.org. We will attempt to respond to your report within 1-2 business days. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our responsible disclosure policy, reward guidelines, and those things that should not be reported.
Responsible Disclosure Policy
To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (screenshot, video or sourcecode).
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access, modification or destruction of data, and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- You do not modify or access data that does not belong to you.
- For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
Bug Bounty Program Terms
We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Moshbit's discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you first need to meet the following requirements:
- Adhere to our Responsible Disclosure Policy (see above).
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Moshbit ultimately determines the risk of an issue, and that many software bugs are not security issues.)
- Your report must describe a problem involving one the products or services listed under "Bug Bounty Program Scope" (see below).
- Submit your report via mail to email@example.com.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.
In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
- We investigate and respond to all valid reports. We prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is €50. Note that extremely low-risk issues may not qualify for a bounty at all.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Moshbit determines duplicates and may not share details on the other reports.) A given bounty is only paid to one individual.
- We reserve the right to publish reports (and accompanying updates).
- We will provide you if needed with test accounts to Studo, feel free to ask us.
- In case the finding of a security issue is part of an academic work (such as Bachelor/Master thesis): After resolving the issue we can provide you additional information for your work.
Bug Bounty Program Scope
To qualify for a bounty, report a security bug in Studo or one of the following qualifying products:
- Studo App for Android and iOS (we pay out double rewards for bugs found in the Studo App). If needed, request a demo-account via firstname.lastname@example.org
- Studo Chat - chat system within the Studo App. If needed, request a demo-account via email@example.com
- The in the Studo App at some universities linked career platform Talto
- Infrastructure of Moshbit
- Domains studo.com, *.studo.com, studo.co and *.studo.co
- Self-hosted open source Campus QR application
If you are unsure whether a service is eligible for a bounty or not, feel free to ask us.
Out of Scope
- Spam or social engineering techniques
- Denial-of-service attacks
- Secuity issues in Android or iOS operating system or smartphone/tablet-vendor specific software
- Old versions of the Studo App
- Trickery to get the Studo PRO version for free, as long as it is not a security issue and only leads to missing payments to Moshbit.
- Security issues in third-party services that Studo integrates: University websites, university mail services, news websites. These are not managed by Moshbit and do not qualify for our guidelines for security testing.