Dog with a magnifying glass

Animal Friends Bug Bounty Program

Keeping your data safe and secure is a top priority here at Animal Friends.

IMPORTANT NOTICE: As from Thursday 28th November 2024 we can only make payments from our Bug Bounty Scheme using Bank Transfer (International or national). Payments can be made in UK£, Euros or US$. This will require you to provide your bank account details (including IBAN, where applicable) and associated full name and address.

While we undertake regular external audits of our tools and services with leading information security companies, we also acknowledge the benefit that independent external security researchers can provide.

No system is ever perfect, and therefore, Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.

If you believe you have found a security issue in our tools or services, we encourage you to responsibly disclose this to us via our Bug Bounty program. We will work with you to assess and resolve reported issues promptly. All reported bugs will be assessed by our security team to determine if they qualify for a reward. Animal Friends will consider the impact to both the company and our customers and will calculate any reward accordingly.

All submissions should clearly demonstrate a viable attack against an Animal Friends system, staff member or customer.

Please note the exclusions in the Out of Scope section below.

Our bug bounty program is limited to our customer facing web applications. These are:

Do not attempt social engineering or phishing attacks against our customers or employees under any circumstances.

Due to concern regarding availability, do not attempt denial of service attacks, spam or similar activity.

The following items are out of scope or excluded from the scheme:

  1. Non-exploitable vulnerabilities
  2. All third-party components and services which are used on the items named within scope
  3. Denial of Service attacks, including Application Denial of Service by locking of user accounts
  4. Clickjacking, without additional details demonstrating a specific exploit
  5. TLS configuration weaknesses (e.g. “weak” ciphersuite support, TLS1.0, TLS1.1 support, sweet32 etc.)
  6. Deviations from “best practice” for example, missing security headers (CSP, x-frame-options, x-prevent-xss etc.), additional HTTP verbs (OPTIONS, TRACE etc.)
  7. Basic/Simple rate-limiting issues without a direct security impact
  8. Raw output from commonly available automated scanners or online tools without any additional analysis or practical proof of concept
  9. Self-XSS and issues exploitable only through Self-XSS
  10. Cookie flags (including HTTPonly and Secure) for non-sensitive data
  11. Session handling and policies around brute force, rate limiting, or account lockout
  12. Session management during email/password changes

IMPORTANT NOTICE: With effect from Thursday 28th November 2024 should a successful submission of a vulnerability via our Bug Bounty scheme be deemed worthy of a reward, this will be a cash reward paid only by bank transfer.

As standard, we will pay on a scale of £50 to £400 for any such vulnerabilities identified and confirmed. Payment will be based on the quality of the submission, the ability to replicate the reported issue, and that it has not been identified and remunerated already. The payment is subject to an internal approval process.

Please inform us responsibly via security@animalfriends.co.uk upon discovery of a potential security issue and we will make every effort to work with you to quickly resolve the issue. Notifications sent to any other email address may not be addressed in swift manner.