Details

IssueHunt/IssueHunt VDP

Introduction

We welcome feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

In Scope

This policy applies to any digital assets owned, operated, or maintained by us.

Scope Targets:

Web Service: issuehunt.io

Our Commitments

When working with us, according to this policy, you can expect us to:

Respond to your report promptly, and work with you to understand and validate your report.
Strive to keep you informed about the progress of a vulnerability as it is processed.
Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
Respect privacy & make a good faith effort not to access, process or destroy personal data.
Be respectful when interacting with our team, and our team will do the same.
Exercise caution when testing to avoid negative impact to customers and the services they depend on.
Stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
Do not research outside of that outlined in "In Scope"
Do not publicly disclose a Vulnerability without our explicit review and consent.
Do not leave any system in a more vulnerable state than you found it.
Do not submit a report by automated tools without additional analysis as to how they are an issue
Do not brute force credentials or guess credentials to gain access to systems.
Do not engage in any form of social engineering of our employees, customers, or partners.
Do not attempt to extract, download, or otherwise exfiltrate data that may have PII or other sensitive data other than your own.
Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
Do not interact with accounts you do not own or without explicit permission from the account holder.
Do not do anything that is prohibited by the terms of use (https://issuehunt.io/terms)

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis.
Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Introduction

Our Commitments

When working with us, according to this policy, you can expect us to:

Respond to your report promptly, and work with you to understand and validate your report.

Strive to keep you informed about the progress of a vulnerability as it is processed.

Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.

Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.

Respect privacy & make a good faith effort not to access, process or destroy personal data.

Be respectful when interacting with our team, and our team will do the same.

Exercise caution when testing to avoid negative impact to customers and the services they depend on.

Stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

Do not research outside of that outlined in "In Scope"

Do not publicly disclose a Vulnerability without our explicit review and consent.

Do not leave any system in a more vulnerable state than you found it.

Do not submit a report by automated tools without additional analysis as to how they are an issue

Do not brute force credentials or guess credentials to gain access to systems.

Do not engage in any form of social engineering of our employees, customers, or partners.

Do not attempt to extract, download, or otherwise exfiltrate data that may have PII or other sensitive data other than your own.

Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.

Do not interact with accounts you do not own or without explicit permission from the account holder.

Do not do anything that is prohibited by the terms of use (https://issuehunt.io/terms)

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.

Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.

Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis.

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.