Details

Policy

Please note that this program does not offer rewards for bug submissions as CFP Time is just a small personal project. This disclosure program is limited to assets in the scope found in the next section.

Scope

Scope is currently: https://www.cfptime.org

Things To Look For

Web application vulnerabilities (Command Injection, SSRF, CSRF, XSS, etc)
Security misconfigurations
Suggested security improvements
Information leakage
Multi-byte/binary exploitation
Security header configurations
Etc...

Automated tools are tolerated for the moment as long as you do not cause network/service disruption for me or third-parties. Testing must not cause issues for other organisations such as hosting providers, network operators or ISPs.

Disclosure Policy

Let me know of any potential vulnerabilities as soon as possible and I will make every effort to resolve the issue quickly. Share with me the full details of any vulnerability including steps to reproduce if applicable. Provide me a reasonable amount of time to fix the issue before disclosure to the public or a third-party. Try to avoid degradation of service, destruction of data or privacy violations. I will make every effort to abide by HackerOne's disclosure guidelines: https://hackerone.com/disclosure-guidelines

Exclusions

While researching, please do not attempt the following:

Denial of service (DoS)
Spamming
Phishing
Spoofing or hijacking
Man in the Middle (MiTM) or interception
Attacks which require physical presence on the network of a user
Domain name hijacking or theft
Account hijacking or theft
Cybersquatting
Social engineering
Physical/real-life attacks
Anything that could falsely lower the reputation of me or my website
Anything that could falsely get me in trouble
Attacks on 3rd-party systems that are out of my general control

Rewards

Thank you shown at: https://hackerone.com/cfptime/thanks Please note that this program does not provide monetary rewards for bug submissions. Researchers who submit non-issues, false issues or purely opinion-based issues may not be thanked publicly.

Thank you for helping keep CFP Time safe and happy CFPing!

Things To Look For

Web application vulnerabilities (Command Injection, SSRF, CSRF, XSS, etc)

Security misconfigurations

Suggested security improvements

Information leakage

Multi-byte/binary exploitation

Security header configurations

Etc...

Disclosure Policy

Exclusions

While researching, please do not attempt the following:

Denial of service (DoS)

Spamming

Phishing

Spoofing or hijacking

Man in the Middle (MiTM) or interception

Attacks which require physical presence on the network of a user

Domain name hijacking or theft

Account hijacking or theft

Cybersquatting

Social engineering

Physical/real-life attacks

Anything that could falsely lower the reputation of me or my website

Anything that could falsely get me in trouble

Attacks on 3rd-party systems that are out of my general control

Rewards

Thank you for helping keep CFP Time safe and happy CFPing!