Responsible Disclosure

InfinityFree welcomes reports from third party security researchers and their help in making our products and services more secure.

How to send a report

If you would like to submit a bug report, please send the details to [email protected].

Bug Bounties

In case of valid vulnerabilities, we are happy to pay out an appropriate bounty. At this time, we do not have a formal bounty tier and rate list and determine bounty amounts on a case-by-case basis.

This may change in the future.

Scope

The following domains host software developed entirely by us and are fully in scope:

infinityfree.com
dash.infinityfree.com

The followwing domains host third party developed software. The infrastructure is within scope, but the applications themselves are not:

forum.infinityfree.com

The following sites are built and/or maintained by our supplier iFastNet. Please report any identified vulnerabilities to iFastNet.

Control panel domains: cpanel.infinityfree.com, cpanel.epizy.com, cpanel.rf.gd, etc.
Most services exposed through the control panel, unless explicitly defined as in-scope, e.g.:
- filemanager.ai
- scriptinstall.rocks
The hosting platform itself, such as vulnerabilities found in the web servers, FTP servers and database servers of the free hosting service.

Out of Scope Vulnerabilities

The following vulnerabilities are considered insignificant. No bounties will be awarded for them.

Self-XSS that cannot be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non sensitive endpoints
Missing cookie flags on non sensitive cookies
Missing security headers which do not present an immediate security vulnerability
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking on pages without sensitive actions
CSV Injection
Host Header Injection
Sessions not being invalidated (logout, enabling 2FA, etc.)
Hyperlink injection/takeovers
Cross-domain referer leakage
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection
Username / email enumeration
E-mail bombing
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing / Version disclosure
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Weak SSL configurations and SSL/TLS scan reports
Not stripping metadata of images
Disclosing API keys without proven impact
Disclosing credentials without proven impact
Arbitrary file upload without proof of the existence of the uploaded file
Crashes due to malformed URL Schemes
Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
Attacks requiring unrealistic user interaction
Spam, social engineering and physical intrusion

Additionally, the following rules are true:

Known Vulnerabilities: In case that a reported vulnerability was already known to the company from their own tests, no bounties will be awarded.
Theoretical Vulnerabilities: Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded.
DoS/DDoS attacks or brute force attacks: These attacks are strictly prohibited and will be reported to relevant law enforcement agencies.
Patching delay: Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

Rules of Engagement

Please clean up remnants of your testing and do not interfere with the normal operation of the site.
Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
Provide detailed but to-the point reproduction steps
Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
Suggestions for mitigation are appreciated as well
Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
Do not change or delete any data or system settings.
Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.
Please do NOT publish/discuss bugs before they are fixed.
Remember: quality over quantity!

InfinityFree considers ethical hacking activities that follow these rules to be “authorized” conduct under criminal law. We will not pursue legal action as long as you comply by these rules, or in case of any accidental, good faith violations.