Vulnerability Disclosure Program

Vulnerability Disclosure Policy

    Welcome to Funding Societies | Modalku Group Vulnerability Disclosure Program (VDP). This policy is designed to encourage security researchers and the general public to responsibly report security vulnerabilities they may discover on our Website/Cloud Assets. Your efforts help us maintain a safe and secure environment for our users.

  • Ensuring our customers' data is safe and our products and services are dependable is a top priority for Funding Societies. Therefore, we aim to design and make products and services with the highest levels of security and reliability.
  • This policy describes Funding Societies' approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services. Customers, users, researchers, partners, and any other person that interacts with Funding Societies' products and services are encouraged to report identified vulnerabilities and errors by details provided on this page.
  • Funding Societies highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. This will contribute to improving the security and reliability of our products and services.


Rules of Engagement

1. Responsible Reporting: When reporting potential vulnerabilities and errors in Funding Societies' products and services, adhere to certain guidelines. The first rule is that you should not exploit or utilise any discovered vulnerabilities or errors for any purpose other than reporting them to Funding Societies.

2. Ethical Testing: Avoid any testing or research with the intent to harm Funding Societies, its stakeholders, or partners. Ethical reporting ensures a secure environment.

3. Data Integrity: Maintain data integrity. Do not tamper, delete, alter, or destroy accessed data related to vulnerabilities. This upholds the integrity of the investigation.

4. Prohibited Activities: Prohibited activities include social engineering, spamming, phishing, denial-of-service, resource-exhaustion attacks , running automated fuzzers / tools / scripts. These actions are strictly off-limits for the testing.

5. Legal Compliance: Adherence to all applicable laws is mandatory. Actions leading to your report should not violate any relevant laws or regulations.

6. Confidentiality: Maintain confidentiality. Do not disclose information about your report, the vulnerabilities, or that you've reported them to Funding Societies. Do not disclose the vulnerability or details about it publicly.

7. Limited Exploitation: Only exploit the vulnerability to the extent necessary to prove its existence; do not exploit it further than necessary.

8. Service Integrity: Do not intentionally damage or degrade the integrity of Funding Societies' services.

9. No Denial-of-Service (DOS) Attacks: Do not engage in any form of Denial-of-Service (DOS) attack against Funding Societies' services.

10. Respect for Privacy: Don't violate the privacy of other users, destroy data, disrupt services, or engage in any harmful activities.


Reporting Process

If you believe you have discovered a security vulnerability, please submit a report by sending an email to bugbounty@fundingsocieties.com with the following information: a detailed description of the vulnerability, including steps to reproduce it, any relevant screenshots, videos, or proof of concept code, and your contact information. Our security team will then investigate the report and provide you with updates on our progress. Reporting a security issue to Funding Societies implies your acceptance of the terms and conditions outlined in the Vulnerability Disclosure Policy and Rules of Engagement.


Appreciation

As a token of our appreciation for your responsible disclosure, we offer an acknowledgment via email. Additionally, individuals who make substantial contributions to the security of our services, such as identifying and reporting impactful vulnerabilities, will be featured on our Hall of Fame subjected to user consent.


Contact

If you have any specific questions pertaining to the program scope and vulnerabilities, you can reach out to the Funding Societies team at bugbounty@fundingsocieties.com


Hall of Fame

Year 2023

Year 2024


Out-of-Scope

  • Subdomain takeover without actual proof
  • Account harvesting (e.g. enumerating WordPress usernames)
  • Access to keys and credentials without proof that they are valid
  • UUID enumeration of any kind.
  • SSL Pinning
  • Invite/Promo code enumeration.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept.
  • Stack traces, path disclosure, and directory listings.
  • CSV injection.
  • Best practices concerns.
  • Highly speculative reports about theoretical damage -- please always provide a proof-of-concept.
  • Vulnerabilities that cannot be used to exploit other users or Funding Societies -- e.g. self-xss (having a user paste JavaScript into the browser console).
  • Most vulnerabilities within our sandbox or staging environments.
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
  • Distributed denial of service attacks (DDOS) or any activity that will cause service disruptions..
  • Content injection issues.
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Missing cookie flags on non-authentication cookies.
  • Email Spoofing.
  • Missing HTTP security headers.
  • Lack of HTTPOnly and Secure cookie flags.
  • Issues that require physical access to a victim’s computer/device.
  • SSL/TLS scan reports (this means output from sites such as SSL Labs).
  • Banner grabbing issues (figuring out what web server we use, etc.).
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Broken Link Hijacking.
  • Entering the Funding Societies offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.(social engineering etc )
  • Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores.
  • Lack of rate-limiting on API endpoints, unless it is for brute-forcing of a pass token with insufficient entropy (e.g. 4 digit passcode without invalidation and rate-limiting)
  • Vulnerabilities found in rooted mobile devices
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.

Indonesia

Pendana
layanan@modalku.co.id
+62 877 3751 1114

Peminjam
info@modalku.co.id
+62 877 7873 6144

Penagihan
collection-id@modalku.co.id

Unifam Tower, Jl. Panjang Raya
Blok A3 No.1, Kedoya Utara,
Kebon Jeruk, Jakarta Barat,
DKI Jakarta, 11520, Indonesia

Singapore

info@fundingsocieties.com
General Enquiries:
+65 6221 0958

Sales Enquiries:
+65 6011 7534

112 Robinson Road
Level 8
Singapore 068902

Malaysia

info@fundingsocieties.com.my
Primary contact
+603 9212 0208

Secondary contact
+603 2202 1013

Unit 15.01 & Unit 15.02,
Level 15, Mercu 3,
KL Eco City, Jalan Bangsar,
59200 Kuala Lumpur

Thailand

SME Loan
info@fundingsocieties.co.th
+66 93 139 9721

Investment
invest@fundingsocieties.co.th
+66 62 197 8661

No. 29, Vanissa Building,
24th Floor, Room No. 2412 & 2414,
Soi Chidlom, Ploenchit Road,
Lumpini, Pathumwan,
Bangkok, 10330

Vietnam

info@fundingsocieties.vn
(+84) 28 7109 7896

The Sarus Building
67 Nguyen Thi Minh Khai
Ben Thanh Ward, District 1
Ho Chi Minh City, Vietnam

Dreamplex
174 Thai Ha Street,
Trung Liet Ward, Dong Da District,
Hanoi, Vietnam

lockSSL Secure Site

Invest on the go via the Funding Societies app

Funding Societies is Southeast Asia's leading SME digital financing platform. We specialise in all forms of short-term financing for SMEs, funded by individual and institutional investors. We pride ourselves in speed and flexibility, offering the widest range of term loan, trade finance and micro loan products. Backed by SoftBank Ventures Asia Corp and Sequoia India, amongst many others, Funding Societies has helped to finance over S$2 billion in business loans regionally. We are dedicated to the vision of enabling SMEs through equitable financial access, ultimately making a positive impact for our societies in Southeast Asia.

Funding Societies Pte. Ltd. and FS Capital Pte. Ltd. are part of the Funding Societies Brand.

Funding Societies Pte. Ltd.
Business Registration No.: 201505169M | CMS License No.: CMS100572

FS Capital Pte. Ltd.
Business Registration No.: 201631787R

© 2023 Funding Societies Pte. Ltd. & FS Capital Pte. Ltd. All rights reserved.