Our commitment to independent researchers:
- To maintain confidentiality and exclusivity in the disclosure and remediation process
- To strive to validate and remediate all serious findings in a timely manner
- To respond clearly whenever remediation or validation efforts may be delayed
Our request:
- As we promise confidentiality, we ask that researchers do the same. Please do not disclose information about shared findings without written permission from our team.
- Provide detailed and clear reproduction steps (proof of concept) when sharing findings, so we may validate them in a timely manner.
- Save time by paying close attention to the out-of-scope section below.
- Include an email address with the submission, so we can reach out for technical clarifications and follow-up.
Out-of-scope:
- Testing the physical security of our offices, employees, or equipment
- Any non-web attacks such as social engineering or phishing
- DoS/DDoS, or any other testing that may impact the operation of our systems
- App or network scan reports, unvalidated test results, or “theoretical” findings
- Access to, or modification of, any account that does not belong to the researcher
- Testing which results in form or email spam, or unsolicited messages or alerts
- Testing third party SaaS apps or services, except self-host, IaaS, or CDN assets
- Defacing any assets, or doing anything that may result in brand damage
In-Scope Examples:
- BOLAs/IDORs, OWASP API Top 10, multi-stage logic flaws, account enumerations and iteration flaws, XML injections, auth problems, cloud data leakages, critical software version flaws, provable RFIs/LFIs, upload exploits, WAF bypasses.
Below you will find a form where you can submit your findings. Please include accurate and detailed findings to facilitate faster validation. Thank you and happy hunting!