SECURITY POLICIES

Security commitments to patrons and governing authorities are documented and communicated in Service Level Agreements (SLAs) and other customer agreements, as well as in the description of the service offering provided online. 

Security commitments are standardized and include, but are not limited to, the following:
‍

• Security principles within the fundamental designs of the Mojo platform that are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.
  ‍
• Use of encryption technologies to protect patron/ customer data both at rest and in transit.

Mojo establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Mojo’s system policies and procedures, system architectural design documentation, and contracts with customers. 
‍
Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed and how employees are hired and trained. In addition to these policies, standard operating procedures have been documented on how to carry out specific manual and automated processes required in the operation and development of the Mojo platform.

‍

VULNERABILITY DISCLOSURE PROGRAM

These Program Rules provide our guidelines for reporting vulnerabilities to Mojo Interactive Inc..

If you believe you have identified a security vulnerability that could impact Mojo Interactive Inc. or its users, we ask you to notify us right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We request you follow our Vulnerability Disclosure Program Rules and HackerOne's Vulnerability Disclosure Guidelines (https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. 

Note: This program is meant for vulnerabilities and security-related bugs. If you have a general bug report or site feedback, please submit it on our Feedback page.

Scope

Websites and services operated by Mojo Interactive Inc., which include:

• mojo.com
  ‍

Please do not submit:

• Vulnerabilities reported by automated vulnerability scanning tools, unless you have a working proof-­of-­concept or reason to believe that this issue is exploitable. Many issues reported by these tools are low-hanging fruit and do not have a clear security implication for Mojo Interactive Inc.
• Vulnerabilities that rely on social engineering to be exploitable.
• Clickjacking (X-Frame-Options), HSTS (Strict-Transport-Security), Internet Explorer specific headers (X-Content-Type and X-XSS-Protection), and HttpOnly cookie reports. We already set these headers where we feel appropriate.

Scope is limited strictly to software and hardware vulnerabilities—not people. As such, Mojo Interactive Inc. users, customers, and employees are entirely out of scope of this program.

Third-party software and services that we use, such as CloudFlare, should be reported to the appropriate parties and are not eligible for a reward from us. We'd appreciate a head's up and will credit you on our Thanks page though!

‍

Eligibility & Disclosure

In order for your submission to be eligible:

• You must agree to all of our Vulnerability Disclosure Program Rules (this entire page).
• You must follow HackerOne's Vulnerability Disclosure Guidelines. (https://www.hackerone.com/disclosure-guidelines) 
• You must agree to Mojo Interactives Terms and Conditions (https://www.mojo.com/terms)
• You must be the first person to responsibly disclose an unknown issue to us.
• You must immediately report any vulnerability that allows access to personally identifiable information (PII), not copy or disseminate any PII obtained, and destroy any and all PII in your possession.
• Please consolidate similar vulnerabilities across multiple files/domains into one report. Multiple reports of what is essentially the same vulnerability will be discarded and treated as one report.
• All legitimate reports will be reviewed and assessed by Mojo Interactive Inc.'s developer team to determine eligibility.
• As mentioned in our Rules, Mojo Interactive Inc.'s website and services are not intended for, or designed to attract, individuals under the age of 18. Reporters under the age of 18 will not be eligible to receive rewards.

‍

Rewards

For each eligible vulnerability report, the reporter will receive:

• Recognition on our Thanks page.
• A Mojo Interactive Inc. credit ($20 USD value, subject to Terms of Use).
• We do not currently offer a cash reward.

‍

Exclusions

The following conditions are out of scope for our vulnerability disclosure program:

• Physical attacks against Mojo Interactive Inc. users, volunteers, customers, employees, offices, and data centers.
• Social engineering of Mojo Interactive Inc. users, volunteers, customers, employees, or service providers.
• Knowingly posting, transmitting, uploading, linking to, or sending any malware.
• Pursuing vulnerabilities which send unsolicited bulk or unauthorized messages (spam), and/or denial of service (DoS) attacks.
• Any vulnerability obtained through the compromise of a Mojo Interactive Inc. user, volunteer, customer, or employee account. If your vulnerability allows you to compromise one of these accounts, please report it to us immediately and do not press further without written permission.

‍

Submissions & Questions?

Send us an e-mail at security@mojo.com

‍

‍

‍

‍

‍