Important note: Testing in our production environment is strictly prohibited and will result in disqualification from receiving awards under this program.

In order to be eligible for a bounty, you must meet the following requirements:

• You must be the first reporter of the vulnerability.
• You must not publicly disclose the vulnerability without our prior permission.
• We will ask for an exploit or proof of concept for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty.
• The vulnerability must have a clearly identified security impact and must be presented along with enough information for our team to investigate and reproduce.
• Do not perform any tests that will disrupt services or impair others' ability to use them.
• Do not conduct non-technical attacks such as phishing, social engineering or physicalattacks against our employees, customers or infrastructure.

Any vulnerabilities reported with the following criteria are not eligible for a bounty:

• Only affecting outdated browsers/platforms;
• Affecting our non-production domains only;
• Caused by third-party websites or mobile applications into which our software is embedded;
• Only affecting the executing user (self-XSS and similar);
• Exploitable only through social engineering;
• Exploitable only through prior control of the user’s account/device/browser/etc, or of an administrative account;
• Vulnerabilities considered by Admiral Insurance to be of low severity.
• Software version disclosure.
• Missing security headers without proof of exploitability.
• Any functional issue without any security impact.
• Missing any best security practice that is not a vulnerability.
• Clickjacking in unauthenticated pages or in pages with no significant state-changing action.
• Login, Logout or unauthenticated CSRF.
• Reports from automated tools or scans (without accompanying demonstration of exploitability).
• Low-impact descriptive error pages and information disclosures without any sensitive information (e.g. Stack Traces, application or server errors).
• Invalid or missing SPF/DKIM/DMARC/DNSSEC records.
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• Presence of EXIF information in file uploads.
• Missing HttpOnly/Secure cookie flags.
• Publicly accessible login panels.
• Disclosure of known public files or directories (e.g. robots.txt)
• XMLRPC related brute-force/enumeration/DDoS Attacks.
• Attacks requiring MITM or physical access to a user's device.
• HTTP OPTIONS/TRACE methods enabled.
• Open ports without an accompanying proof-of-concept demonstrating vulnerability.
• HTTP/TLS configuration issues without demonstrable impact, such as:
  • TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites, etc.
  • Lack of Secure or HTTPOnly cookie flags.
• Issues related to software/application not under TWO's control.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. Multiple reports related to the same root cause will be awarded as one bounty.
• Submit your report at cyber@two.inc
• Provide a technical description of the concern or vulnerability.
• Additional information including details on the tools used to conduct the testing and any relevant test configurations and proof-of-concept such as screenshots/video is required to verify your report quickly.

Please first get in touch with us to let us know that you intend to begin looking for vulnerabilities. We will ask you to test against our dedicated cyber environment*, which is kept in step with our production systems. We may also ask you to sign a Non-Disclosure Agreement to protect our customers, should you find any problems that leak data.

Please let us know as soon as possible upon discovery of a potential security issue. We’ll investigate promptly and let you know our response.

Be mindful of your approaches when performing tool-assisted and manual assessments. Restrict your operations to our dedicated cyber environments*. Try not to leak, manipulate, or destroy any data. Only test against accounts that you own yourself, or with explicit permission of the account holder; if you would like us to create accounts for you to attack, please let us know. Please also warn us of the type of testing you will undertake, so that we know how to respond to alerts etc.

In the event of a bulk enumeration of customer data, do not harvest large amounts of information. We will accept a small sample of data as a valid proof of concept.

You must not, under any circumstances, disclose any information about the vulnerabilities that you discover outside of this program unless you first receive explicit written consent from our team. Any disclosure in defiance of this agreement can result in legal action against you.

TWO reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching.

Thank you for helping keep Two and our users safe!

**: Our cyber environment is hosted at *.cyber.two.inc

‍