Join The Affiliate Team

Other insurance covers? Expand this box using the ^ arrow on the far right here
UAP Old Mutual Life Assurance Bug Bounty Program

UAP Old Mutual Life Assurance Bug Bounty Program

For Professional Researchers: Bug Bounty Program

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep UAP Old Mutual Life Assurance and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.

Program Terms

Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to UAP Old Mutual Life Assurance. (“UAP Old Mutual Life Assurance”) you acknowledge that you have read and agreed to these Program Terms.

These Program Terms supplement the terms of UAP Old Mutual Life Assurance User Agreement, the UAP Old Mutual Life Assurance Acceptable Use Policy, and any other agreement in which you have entered with UAP Old Mutual Life Assurance (collectively “UAP Old Mutual Life Assurance Agreements”). The terms of those UAP Old Mutual Life Assurance Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there is any inconsistency exists between the terms of the UAP Old Mutual Life Assurance Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.

You can jump to particular sections of these Program Terms by using the following links :

  1. Responsible Disclosure Policy
  2. Eligibility Requirements
  3. Bug Submission Requirements and Guidelines
  4. Ownership of Submissions
  5. Eligible Domains
  6. Out-of-Scope Vulnerabilities
  7. Bounty Payments
  8. Termination
  9. Confidentiality
  10. Indemnification
  11. Changes to Program Terms
  12. Frequently Asked Questions (FAQ)

Responsible Disclosure Policy

To encourage responsible disclosures, UAP Old Mutual Life Assurance commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the UAP Old Mutual Life Assurance Agreements, UAP Old Mutual Life Assurance will not bring a private action against you or refer a matter for public inquiry.

Eligibility Requirements

To participate in the Bug Bounty Program, you must have a UAP Old Mutual Life Assurance account in good standing in order to register for the Bug Bounty Program and be eligible to receive Bounty Payments (described further below). Alternatively, if you do not have a UAP Old Mutual Life Assurance account, you may elect to submit reports via email, but you won’t be eligible for a Bounty Payment. If you do not currently have a UAP Old Mutual Life Assurance account, you can sign up for one here.

To be eligible for the Bug Bounty Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • Be in violation of any national, state, or local law or regulation;
  • Be employed by UAP Old Mutual Life Assurance or its subsidiaries;
  • Be an immediate family member of a person employed by UAP Old Mutual Life Assurance or its subsidiaries or affiliates; or
  • Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If UAP Old Mutual Life Assurance discovers that you do not meet any of the criteria above, UAP Old Mutual Life Assurance will remove you from the Bug Bounty Program and disqualify you from receiving any bounty payments. Any submissions you make to UAP Old Mutual Life Assurance, whether via your Bug Bounty Program account or via email shall be considered “Submission(s)” for purposes of these Program Terms.

Bug Submission Requirements and Guidelines

In researching vulnerabilities on UAP Old Mutual Life Assurance’s sites, you may not engage in testing that (i) results in a degradation of UAP Old Mutual Life Assurance systems, (ii) results in you, or any third party, accessing, storing, sharing or destroying UAP Old Mutual Life Assurance or customer data, or (iii) may impact UAP Old Mutual Life Assurance customers, such as denial of service, social engineering or spam.

You may not publicly disclose your findings or the contents of your Submission in any way without UAP Old Mutual Life Assurance’s prior written approval.

Failure to follow these guidelines will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments.

For all submissions, please include:

  • Full description of the vulnerability being reported including the exploitability and impact
  • Document all steps required to reproduce the exploit of the vulnerability
  • Provide all:
    • URL(s)/application(s) affected in the submission (even if you provided us a code snippetvideo as well)
    • IPs that were used while testing
    • Always include the user ID that is used for the POC
    • Always include all of the files that you attempted to uploaded
    • Provide the complete PoC for your submission (e.g. For RCE’s do not change files, upload only “hello world” test files, etc.)
    • Please save all the attack logs and attach them to the submission.
    • Remote Code Execution (RCE) Submission Guidelines
  • Failure to include any of the above items may delay or jeopardize the bounty payment.

Ownership of Submissions

As between UAP Old Mutual Life Assurance and you, as a condition of participation in the UAP Old Mutual Life Assurance Bug Bounty Program, you hereby grant UAP Old Mutual Life Assurance, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to UAP Old Mutual Life Assurance in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to UAP Old Mutual Life Assurance. In no event shall UAP Old Mutual Life Assurance be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as UAP Old Mutual Life Assurance complies with the terms of participation stated herein.

Eligible Domains Policy

The following domains are included for the UAP Old Mutual Life Assurance family of companies:

  • https://web.uapoldmutual.com
  • https://web.uapoldmutual.com

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:

  • Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)
  • Host Header
  • Denial of service (DOS)
  • Self-XSS (User defined payload)
  • Login/logout CSRF
  • Content spoofing without embedded links/HTML
  • Vulnerabilities which require a jailbroken mobile device
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. mx records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Most vulnerabilities within our sandbox, lab, or staging environments.
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer versions prior to version 8
  • Vulnerabilities involving active content such as web browser add-ons
  • Information disclosure of public or information that does not present risk to our UAP Old Mutual Life Assurance customers or UAP Old Mutual Life Assurance (i.e. web server type disclosure)
  • Most Connected Commerce Cloud (C3) submissions are out of scope
    • We will review C3 submissions and depending upon the level of risk we will determine if this submission will be eligible

Bounty Payments

You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by UAP Old Mutual Life Assurance’s security team; and (iii) you have complied with all Program Terms.

Bounty payments, if any, will be determined by UAP Old Mutual Life Assurance, in UAP Old Mutual Life Assurance’s sole discretion. In no event shall UAP Old Mutual Life Assurance be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.

In the event UAP Old Mutual Life Assurance elects to pay you a bounty, UAP Old Mutual Life Assurance may make a partial payment when the vulnerability is first verified by UAP Old Mutual Life Assurance and then an additional payment once the vulnerability has been fixed. The format and timing of all bounty payments shall be determined in UAP Old Mutual Life Assurance’s sole discretion.

All bounty payments must be made to a UAP Old Mutual Life Assurance Account in good standing. If you do not have a UAP Old Mutual Life Assurance Account in good standing at the time of payment, you will not be eligible to receive a bounty (except in extraordinary circumstances agreed to by UAP Old Mutual Life Assurance via email from the Bug Bounty Program team).

All bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

UAP Old Mutual Life Assurance will determine all bounty payout based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $1 USD and the maximum bounty for a validated bug submission is $100 USD.

UAP Old Mutual Life Assurance Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the UAP Old Mutual Life Assurance Bug Bounty Team are final.

Additional Terms

+Payout ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to UAP Old Mutual Life Assurance customers, UAP Old Mutual Life Assurance brand and determined to be a valid security issue by UAP Old Mutual Life Assurance’s security engineers. Common sensitive data elements include customer social security number, credit card number, card verification code, bank account number, login credentials and passwords. UAP Old Mutual Life Assurance may pay beyond the range at times when bugs are found to have significant risk.

#Please note that Clickjacking and CSRF vulnerabilities are only reviewed for sites and pages where the ease of exploit and risk to UAP Old Mutual Life Assurance is significant. Also, please note that, while "Logout CSRF" is a well-acknowledged issue, there are other techniques (like "cookie forcing" and "cookie bombardment") that can make it futile to defend against this attack. Also, UAP Old Mutual Life Assurance web sessions are relatively short lived and hence, the UAP Old Mutual Life Assurance will not consider reports of the ability to log out users from UAP Old Mutual Life Assurance as qualifying for a bounty.

Wall of Fame

In an effort to provide recognition to research partners, from time to time UAP Old Mutual Life Assurance may feature persons who have made significant contributions. Where selected, and upon mutual written agreement regarding acceptable attribution (email being sufficient), you hereby grant UAP Old Mutual Life Assurance the right to display the display name and/or attribution information on UAP Old Mutual Life Assurance’s Wall of Fame and such other media as UAP Old Mutual Life Assurance desires to publish. Either party may elect to no longer participate or publish contribution information. UAP Old Mutual Life Assurance has the right to remove contribution information of any person that at any time does not comply with the Program Terms or the terms of User Agreement.

Termination

In the event (i) you breach any of these Program Terms or the terms and conditions of the UAP Old Mutual Life Assurance Agreements; or (ii) UAP Old Mutual Life Assurance determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact UAP Old Mutual Life Assurance (including, but not limited to, presenting any threat to UAP Old Mutual Life Assurance’s systems, security, finances and/or reputation) UAP Old Mutual Life Assurance may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments. Please see our recommendations on the proper procedures for testing our applications.

Confidentiality

Any information you receive or collect about UAP Old Mutual Life Assurance or any UAP Old Mutual Life Assurance user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the UAP Old Mutual Life Assurance sites, without UAP Old Mutual Life Assurance’s prior written consent..

Indemnification

In addition to any indemnification obligations you may have under the UAP Old Mutual Life Assurance Agreements, you agree to defend, indemnify and hold UAP Old Mutual Life Assurance, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of UAP Old Mutual Life Assurance, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by UAP Old Mutual Life Assurance at any time, without notice. As such, UAP Old Mutual Life Assurance may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after UAP Old Mutual Life Assurance posts any such changes, you accept the Program Terms, as modified.

Frequently Asked Questions

What constitutes a valid bug submission?

The bug must be in scope of our program sites, within a category of vulnerabilities that are within program scope, and found to be a valid security issue by our security engineers. Your submission must be the first of its kind as duplicate submissions will be invalid.

What is considered within the payout range of bounties?

Payout ranges are based on the classification of the data impacted, ease of exploit and overall risk to UAP Old Mutual Life Assurance customers and the UAP Old Mutual Life Assurance brand. We may pay beyond the range at times when bugs are found to have significant risk. The amount of all bounty payments, if any, will be determined by UAP Old Mutual Life Assurance, in UAP Old Mutual Life Assurance’s sole discretion.

Is my bug fixed? Where is my payout?

If you have reviewed your bug and believe it is fixed, please contact us and let us know. We will review your bug and verify if it is fixed. When your bug is fixed, your final bounty will be submitted and you will receive an email notification.

Why was my bug submission found to be a duplicate?

If the bug you have reported was already submitted by another researcher and found to be valid, we will not be able to honor similar bug submissions following that. We have had great participation from our research community. The growing volume of researchers will many times lead to duplicate bug findings. We must honor the first submission of its type and reject subsequent submissions.

What types of bugs are typically awarded on the high range of bounties?

Besides the category of bug and the risk it presents, the type of information exposed is important when determining the severity. Confidential or restricted customer personal identifiable information (PII) exposed as well as the content sensitivity of the page are factors that can facilitate a higher bounty payout.

What types of bugs are commonly rejected?

Bugs that present negligible to no impact to our customers or company. Common examples include:

  • Error messages void of sensitive data
  • Web server type disclosure
  • Clickjacking on pages without sensitive content, authentication, or state changing actions
  • Self-XSS scenarios that would require additional user interaction, including the user manually inputting the XSS payload.
  • Most vulnerabilities within our sandbox, lab or staging environments. Domains utilized by customers take precedence

What should I be aware of when testing?

  • Please be aware of all program criteria and scope, as well as the Program Terms.
  • Do not engage in testing that can impact our customers, like denial of service, social engineering or spam.
  • When utilizing personal or test accounts, they are subject to our fraud controls and filters and may act upon irregular activity.
  • A proof of concept consisting of detailed steps or screen shots is helpful in facilitation of review and eventual fix.

Will any of my previously filed bugs be lost if I create a new Bug Bounty account using UAP Old Mutual Life Assurance login?

We want to assure you that none of the account history will be lost. You will continue to get notifications to your email for any status changes on previously filed bugs. If you need additional information concerning any open issues filed through the old portal, please contact us with the correct EIBBP number.

Remote Code Execution (RCE) Submission Guidelines

Scope:

Vulnerabilities which allow execution of code on the application server or shell commands on the server itself.

Minimal information collected from vulnerable server required for RCE submissions:

  1. Server internal IP(s)
  2. Server internal Hostname
  3. User name executing code
  4. Any and all of UAP Old Mutual Life Assurance or it's costumer's data you were exposed to while conducting the research. Including and not limited to: credentials, source code, log data, transaction data or records, etc.
  5. If uploading files to the server is directly required by the exploit. The file must include an identifying phrase in either the content or the filename including the researchers name or identifier and the phrase "UAP Old Mutual Life Assurance-BugBounty". The files name and location on the server must be submitted in the report

Minimal Information about exploit required for RCE submissions:

  1. Timestamps of all activities
  2. Source IP
  3. Exploit code
  4. Call back IP, domain, Ports and Full URL (if a callback was used)
  5. Full request and response data for exploitation attempts

Prohibited actions when conduction RCE attempts:

  1. Altering or uploading files on the web server unless directly required by the exploit.
  2. Altering file permissions.
  3. Reading sensitive credential files on the system (e.g. /etc/shadow)
  4. Interacting with or altering data stored on the server or other servers it interacts with (e.g. databases)
  5. Modifying or altering log files on the server.
  6. Interrupting the normal operation of the server (e.g. restarting services, changing configuration).
  7. Intentionally attempting to access or read UAP Old Mutual Life Assurance or it's costumer's data beyond information necessary for reporting the vulnerability. Including and not limited to: credentials, source code, log data, transaction data or records, etc.
  8. Any type of persistent connection mechanism (e.g. netcat listener, ssh reverse tunnel, etc) are prohibited.

Specific Examples

Required actions:

  1. Executing the commands 'ifconfig', 'hostname' or 'whoami'
  2. Uploading a file named 'BugBounty.php' to the web servers working directory containing a comment with the submitters name and the content

Allowed actions:

  1. Reading the content of the '/etc/passwd' file
  2. Executing code to connect back to a submitter's controlled server and report the internal IP and hostname of the server.

Prohibited actions:

  1. Uploading a 'web shell' to the web servers working directory enabling arbitrary command execution
  2. Shutting down the server.
  3. Reading the content of '/etc/shadow'.
  4. Executing queries on a database.
  5. Deleting files.

Do's and Don'ts

  1. Do - Provide a detailed description of the vulnerability being reported
  2. Do - Define the Risk (Impact x Exploitability) of the vulnerability
  3. Do - Provide all URL(s)/application(s) affected
  4. Do - Provide all steps required to reproduce the exploit and the vulnerability
  5. Do - Provide PoC video or screenshots with your submission
  6. Do - Always include the user ID that is used for the PoC
  7. Do – Submit end to end POC
  8. Do - Always include all of the files that you attempted to uploaded
  9. Do - Provide all IPs that were used while testing (especially important for things like RCE where another team will need this to investigate)
  10. Do – Submit all pieces to an attack as they are required for validation
  11. Do - Include the main domain (Example: XSS on https://web.uapoldmutual.com)
  12. Don't - Complete PoC’s that will cause harm to UAP Old Mutual Life Assurance or our customers (i.e. Denial of service, tampering with sensitive data, etc.)
  13. Don't - Scan with an active scanner like Qualys, Nessus, Tripwire, or Burp Suite (active, passive is okay)
  14. Don't - Disclose information publicly prior to receiving the Bug Bounty team’s permission including if the vulnerability has been fixed
  15. Don't - Save proof of concept information in publicly available sources (i.e. Public YouTube videos, imgur links, or anything else someone can view without authentication)
  16. Don't – Submit the only the beginning piece of an attack and assume that it will work.
  17. Don't - Submit the same vulnerability twice instead of asking the status of the original
  18. Don't - Resubmit the same vulnerabilities again after they have been found to be not actionable due to low risk
  19. Don't - Group vulnerabilities into one single ticket that have different distinct remediation efforts
  20. Don't - Submit bugs that Don't affect the latest version of modern browsers (Chrome, Firefox, Safari), and Bugs related to browser extensions are also out of scope.

If you have UAP Old Mutual Life Assurance account issues, please contact customer service. The UAP Old Mutual Life Assurance Bug Bounty Team does not have visibility into your UAP Old Mutual Life Assurance account and therefore cannot assist with such issues.

If you have located a vulnerability and would like to submit it for our review, you may register and submit your bug details here!

Staff

  • 8
    ...

    Bob Nilson

    Project Manager
  • ...

    Nick Larson

    Art Director
  • 3
    ...

    Deon Hubert

    CTO
  • ...

    Ella Wong

    CEO

Customers

  • 2
    ...

    Lara Kunis

    CEO, Loop Inc
    Last seen 03:10 AM
  • new
    ...

    Ernie Kyllonen

    Project Manager,
    SmartBizz PTL
  • ...

    Lisa Stone

    CTO, Keort Inc
    Last seen 13:10 PM
  • 7
    ...

    Deon Portalatin

    CFO, H&D LTD
  • ...

    Irina Savikova

    CEO, Tizda Motors Inc
  • 4
    ...

    Maria Gomez

    Manager, Infomatic Inc
    Last seen 03:10 AM
Bob Nilson 20:15 When could you send me the report ?
Ella Wong 20:15 Its almost done. I will be sending it shortly
Bob Nilson 20:15 Alright. Thanks! :)
Ella Wong 20:16 You are most welcome. Sorry for the delay.
Bob Nilson 20:17 No probs. Just take your time :)
Ella Wong 20:40 Alright. I just emailed it to you.
Bob Nilson 20:17 Great! Thanks. Will check it right away.
Ella Wong 20:40 Please let me know if you have any comment.
Bob Nilson 20:17 Sure. I will check and buzz you if anything needs to be corrected.

General

System

General Settings

  • Enable Notifications
  • Allow Tracking
  • Log Errors
  • Auto Sumbit Issues
  • Enable SMS Alerts

System Settings

  • Security Level
  • Failed Email Attempts
  • Secondary SMTP Port
  • Notify On System Error
  • Notify On SMTP Error