Stream MOWii and the MOWii logo are trademarks of MOWii, LLC. Do not use these marks in any manner that implies MOWii’s sponsorship or endorsement unless MOWii has given you permission.
VULNERABILITY DISCLOSURE PROGRAM
The software security research community makes the internet a better, safer place. We support bug-hunting efforts with a responsible vulnerability disclosure program.
The following domains and apps are within the scope of the program:
- MOWii for IOS
- MOWii for Amazon Fire
- MOWii for Google Chromecast
- MOWii for Roku
- MOWii for Sony Playstation
- MOWii for Microsoft
To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:
- Cross-site scripting exploits
- Cross-site request forgery exploits
- Authentication or authorization flaws
- Official MOWii mobile apps or API flaws
- Server-side code execution bugs
- Injection flaws
- Significant security misconfigurations
- Recommendation and ranking systems
These vulnerabilities do not qualify:
- CSRF configuration issue without exploitable proof of concept.
- Using Burp's CSRF PoC generator without demonstrating impact. A Man-in-the-middle (MiTM) proof of concept case that consists solely of installing a root CA into the truststore and using Burp (or similar tools) does not qualify.
- Missing security headers which do not lead directly to a vulnerability.
- Vulnerabilities in third party components in use at MOWii, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact MOWii’s configuration.
- Bugs that require phishing.
- Rate limits on emails sent during sign-up, sign-in, and change email confirmations.
- Using an email spoofing tool to send an email spoofed as sent from a MOWii.com domain (ex. security@MOWii.com) sends an email but is marked as Spam, as opposed to the email not being sent at all.
- Logging-in to MOWii on several apps or logging-in and logging-out repeatedly, thereby creating a large number of user sessions.
Rules for You
- Don’t make the bug public before it has been fixed.
- Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing
- Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
- Only tests for vulnerabilities on sites or apps you know are operated by MOWii. Some sites hosted on subdomains of MOWii.com are operated by third parties and should not be tested.
- Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your MOWii account and ban your IP address if you do so.
- Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your MOWii account and ban your IP address.
- No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, email us at email@example.com (subject line: "Vulnerability Disclosure").
Rules for Us
- We will respond as quickly as possible to your submission.
- We will keep you updated as we work to fix the bug you submitted.
- We will not take legal action against you if you play by the rules and act in good faith.
Based on the severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer recognition by listing you on an acknowledgements page.
Legal Things & Final Notes
We deal only with principals, not vulnerability brokers.
If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.
We will make the final decision on bug eligibility and severity . This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these programs terms do not apply retroactively. Thanks for helping us make MOWii more secure.
DATA REQUEST TRANSPARENCY REPORT
This report discloses requests we’ve received from government agencies for personal data about MOWii users.This report was last updated on September 08, 2020.
National Security Demands
In this section, we provide information about our receipt and response to national security demands for the personal information held by MOWii users. In the United States, for example, these include national security letters and orders issued by the Foreign Intelligence Surveillance Court.
We have received zero (0) national security demands to date in 2021.
Law Enforcement Demands
In this section, we disclose how many law enforcement demands we’ve received for personal information about MOWii users.
We have received zero (0) law enforcement demands to date in 2021.
Third Party Notices
MOWii’s website and software (including MOWii’s apps) rely on software available under open source or free licenses.