Reporting Security Vulnerabilities

This page is intended for security researchers. To find out more about IRCCloud's security, please visit our privacy information page.

If you believe you have found a security vulnerability on IRCCloud, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Please submit your report here and our security team will respond as soon as possible.

Responsible Disclosure Policy

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

Automated Testing

Automated testing against IRCCloud is not allowed. If you use automated testing, your account will be banned and we will not award any bounties.

Bug Bounty Info

To show our appreciation for security researchers, we offer a monetary bounty for certain qualifying security bugs. Here is how it works:

Eligibility

To qualify for a bounty, you must:

• Follow the HackerOne Disclosure Guidelines
• Adhere to our Responsible Disclosure Policy (above)
• Be the first person to responsibly disclose the bug
• Report a bug applicable to our main web application on www.irccloud.com, and our open-source Android and iOS apps.
• Report a bug that could compromise the integrity of our user data, circumvent the privacy protections of our user data, or enable access to a system within our infrastructure, such as:
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF/XSRF)
• Broken Authentication
• Circumvention of our Privacy policy
• Remote Code Execution
• Privilege Escalation
• Provisioning Errors
• Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other IRC users or channels without the consent of their owners.
• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

We will assess each bug to determine if it qualifies.

Rewards

• Our minimum reward is $50 USD for minor issues, while we expect to reward $500+ USD for major vulnerabilities
• There is no maximum reward: each bug is awarded a bounty based on its severity and creativity
• Only 1 bounty per security bug will be awarded

Exclusions

The following bugs are generally not eligible for a bounty (and we do not recommend testing for these):

• Denial of Service Vulnerabilities
• Spam or Social Engineering techniques
• "Best practice", e.g. missing CSP headers.
• Attacks requiring root access to a user device.
• E-mail impersonation/SPF/DMARC issues.

"Leaked" credentials are generally the result of endpoint compromise or credential stuffing - we welcome reports of these and will invalidate reported credentials, but we will not pay a bounty for reports which do not represent a security vulnerability in the IRCCloud service itself.

Reporting Bugs

Please only report one bug per HackerOne issue. If you submit a bug report containing a video, you must also clearly describe the issue in the text of the report.

Please note that we are a small company with no dedicated security engineers. High-priority issues will be dealt with swiftly, but lower-priority issues may take some time to be fixed. We won't issue any rewards until fixes are deployed.