Details

No technology is perfect, and RGhost believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

The following attacks are out of scope of this program:

Session fixation / expiration / replay attacks (session cookie is valid after sign out)
Authentication-related CSRFs: Registration, Sign-in and Sign out
Credentials brute-force / lack of captcha / creation of an unlimited number of accounts
Absence of email confirmation / password reset functionality
SSRF using URL file uploading, unless it leads to other attack
Image tag usage in the file & profile description
Lack of password policy for files
Download link invalidation on password change
Information disclosure using browser cache after user logs out
Denial of service & server IP address disclosure
Spamming (creating files / comments / user accounts)
Social engineering (including phishing) of RGhost staff or contractors

Intentional business logic

The following behavior is considered as intentional service behavior and is excluded from the scope of this program:

Anonymous actions which don't lead to any other attack by itself (e.g. anonymous file upload, download, commenting, viewing of other people files, enumeration of pages / objects on the website)
Commenting/voting on deleted files
Potentially sensitive information (exif metadata / list of files in the archive) is accessible after files are deleted
Merging of two accounts with the same email if one is registered using normal email signup and another one is registered using oauth (this does not lead to account takeover as oauth emails are validated by oauth providers)

Some technical details

It might appear from server responses that a vulnerability has been successfully triggered (unauthorized update or stored XSS). This might not be the case - please check if the object has been actually updated on the backend, sometimes it's just a reply with an error message from the server.
The service stores ids of created comments in the session cookie if the user is anonymous. That information is not being reset and is used to authorize comment operations even after user logs in. That is also intentional business logic.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep RGhost and our users safe!

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

The following attacks are out of scope of this program:

Session fixation / expiration / replay attacks (session cookie is valid after sign out)

Authentication-related CSRFs: Registration, Sign-in and Sign out

Credentials brute-force / lack of captcha / creation of an unlimited number of accounts

Absence of email confirmation / password reset functionality

SSRF using URL file uploading, unless it leads to other attack

Image tag usage in the file & profile description

Lack of password policy for files

Download link invalidation on password change

Information disclosure using browser cache after user logs out

Denial of service & server IP address disclosure

Spamming (creating files / comments / user accounts)

Social engineering (including phishing) of RGhost staff or contractors

Intentional business logic

The following behavior is considered as intentional service behavior and is excluded from the scope of this program:

Anonymous actions which don't lead to any other attack by itself (e.g. anonymous file upload, download, commenting, viewing of other people files, enumeration of pages / objects on the website)

Commenting/voting on deleted files

Potentially sensitive information (exif metadata / list of files in the archive) is accessible after files are deleted

Merging of two accounts with the same email if one is registered using normal email signup and another one is registered using oauth (this does not lead to account takeover as oauth emails are validated by oauth providers)

Some technical details

It might appear from server responses that a vulnerability has been successfully triggered (unauthorized update or stored XSS). This might not be the case - please check if the object has been actually updated on the backend, sometimes it's just a reply with an error message from the server.

The service stores ids of created comments in the session cookie if the user is anonymous. That information is not being reset and is used to authorize comment operations even after user logs in. That is also intentional business logic.

Safe Harbor

Thank you for helping keep RGhost and our users safe!