Vulnerability disclosure policies (VDPs)
If you have found a vulnerability, please submit your findings to [email protected]
Depending on the vulnerability we will reward you with a bug bounty. Please read the following points what vulnerabilities are accepted, and which ones are out-of-scope.
Accepted, in-scope vulnerabilities include, but are not limited to:
- Broken Authentication and Session Management
- Injection vulnerabilities
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Directory/Path transversal
- Exposed credentials
- Out of scope vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- CSP header vulnerabilities
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL/TLS issues, best practices or insecure ciphers
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues
- Tab nabbing
- Open redirects
- Issues that require unlikely user interaction
- Solutions affected by known CVEs published less than 30 days ago