Agora is always looking to better protect our system and customers. Therefore, we invite security researchers to report any bugs or vulnerabilities they discover to us.
Once we receive notice of a bug or vulnerability, Agora customer service and security teams will respond quickly to address the issue.
In addition to our gratitude, those who report a vulnerability may be eligible for a monetary “bounty” based on the risk associated with the vulnerability and the importance of the affected system.
The following table shows system importance classifications (in descending order), along with some example Agora assets:
|Core system||SD-RTN™, the mail system, and official websites such as www.agora.io, sso.agora.io, and api.agora.io|
|General system||Forums and the Developer Portal (docs.agora.io)|
|Fringe system||Test sites|
The following list outlines detailed examples of how various vulnerabilities would be classified:
Examples include command injection (execution), code injection (execution), web shell execution, SQL injection, and buffer overflow that gains system privileges on the core system.
Examples include actions that make service unavailable, reduce service quality, and so on.
Examples include SQL injection of the core database (identity, order), unauthorized disclosure of sensitive information relating to a user, product order, or payment method, and so on.
Examples include the ability to send batches of fraudulent messages, account consumption through a business interface, and large-scale modification of account passwords, and so on.
Examples include unauthorized disclosure of sensitive information relating to a source code, hardcoded passwords, and so on.
Examples include bypassing authentication or backend password, leading to unauthorized access to sensitive intranet information.
Examples include manipulating important information without authorization, such as orders, major business configurations, and so on.
Examples include stored XSS (cross-site scripting).
Examples include incorrect direct object references, unauthorized access to orders, unauthorized access to user information, and so on.
Examples include client-side stored plaintext passwords, system path traversal, and so on.
Local denial of service vulnerabilities, CSRF (cross-site request forgery), reflected-XSS, and so on.
Minor information leakage, such as path information, SVN information, exception information, the local SQL injection of a client-side application (limited to database name, field name, log print), and so on.
Vulnerabilities that are difficult to exploit but still have security implications, such as plaintext transmission of passwords.
Exposure of software banners, internal IP addresses, some public email addresses or phone numbers, and so on.
Using outdated versions of a system, supporting outdated version of an encryption protocol, such as SSL (secure-sockets layer) or tls (transport-layer security) 1.0, supporting low-strength encryption algorithms, and so on.
Please report any potential risks of Agora services that you may notice to firstname.lastname@example.org. Any bounties awarded will conform roughly to the following ranges (based on the severity and system location of the bug or vulnerability, payable in $US):
Note: Agora reserves the sole right to determine any reward amount given.