VULNERABILITY DISCLOSURE PROGRAM
Last Modified: December 13, 2023.
​
Hope City Church is committed to maintaining the security of our systems and data. If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below.
​
Thank you in advance for your submission. We appreciate researchers assisting us in our security efforts.
For purposes of this program, “HopeCityOKC.Church” refers to Hope City Church and its affiliates and subsidiaries.
Vulnerability Disclosure Program Guidelines
​
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
-
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
-
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not engage in any activity that can potentially cause harm to Hope City Church, our attendees, users, or our employees.
-
Once a vulnerability has been discovered, stop all related activity, and notify us immediately.
-
Provide Hope City Church reasonable time to fix any reported issue before making any information public.
​
Prohibited Actions
​
Security researchers are expected to act responsibly and cause no harm. The following actions are outside of the scope of this program and are strictly prohibited:
-
Phishing
-
Social engineering
-
Denial-of-service attacks
-
Resource exhaustion attacks
-
Any violation of Hope City Church Privacy Policy
-
Testing of any third-party services
-
Use of any vulnerability to exfiltrate data, gain persistent command-line access or facilitate lateral movement within our systems
In-Scope Assets
-
*.HopeCityOKC.Church
​
Out-of-Scope Vulnerabilities
​
The following vulnerabilities are out of scope and should not be submitted:
-
Theoretical vulnerabilities
-
WordPress Username Enumeration
-
Information related to server status
-
Enumeration of directories, files, or assets
-
Findings related to password strength
-
Login/Logout/Unauthenticated/Low-impact CSRF
-
Self-exploitation
-
Any service or libraries not directly hosted or controlled by Hope City Church
-
Valid bugs or best-practice issues that are not directly related to the security posture of Hope City Church
​
Submission Instructions
​
When reporting a potential vulnerability, please include a detailed summary, including the target, steps, tools, and artifacts used during the discovery. Submit your findings to hello@createokc.com.
​
As a nonprofit, Hope City Church does not operate a public bug bounty program, and we make no offer of reward or compensation in exchange for submitting potential issues. Recognition in our “Public Acknowledgments” section will be given for vulnerability reports not currently known by us.
​
Disclaimers
Any good-faith activities conducted consistent with this program will be considered authorized conduct, and we will not initiate legal action against you. Hope City Church reserves the right to change or cancel this program at any time.