Responsible Disclosure

Program description

We take security of our users’ data very seriously and we believe in harnessing the power of the security researcher community to help keep our users safe. We encourage the responsible disclosure of security vulnerabilities.

General Rules

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of HACKRATE’s services.
• Only interact with accounts you own.
• Reports must be exact, and the reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or proof of concept code are highly recommended.
• Reports will not be awarded if our security team cannot reproduce and verify an issue.
• You must be the first person to reveal a valid vulnerability ('duplicate' reports will not be rewarded).
• The use of automated scanners is prohibited.
• HACKRATE requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms.
• If you find the same vulnerability several times, please create only one report. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

HACKRATE reserves the right to modify the terms of this program or terminate it at any time.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please send your question to [email protected] before going any further.

Failure to comply with Program Rules rules can be sanctioned by the exclusion from the bug bounty program or, even worse (legal actions against you).

Strictly prohibited

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
• Non-technical attacks such as social engineering or phishing, vishing, smishing
• Physical security attacks
• Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)

Out of scope issues

• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Design flaws and best practices that do not lead to security vulnerabilities
• Weak/expired SSL configurations
• Vulnerabilities affecting users of outdated browsers
• Missing security best practices and controls (lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
• Self XSS
• Software version disclosure
• Low impact session management issues
• Lack of strong password policy
• Internal IP disclosure
• Rate-limiting issues
• Lack of captcha's or other spam-preventing mechanisms
• Content spoofing and text injection issues
• User Enumeration
• Open redirects
• Clickjacking on pages with no sensitive actions
• DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
• Absence of SPF / DKIM / DMARC records
• Mixed content warnings

Public Disclosure

Before disclosing an issue publicly, we require that you first request permission from us (using [email protected] email address). HACKRATE will process requests for public disclosure on a per report basis. Any researcher found publicly disclosing reported vulnerabilities without HACKRATE's written consent will be sanctioned.

Rewards

HACKRATE currently does not offer rewards.