As of today, researchers can report security issues in Detectify services to earn a spot on our Hall of Fame as well as some cool prizes. The Detectify team has participated in most Responsible Disclosure programs out there and we felt the time is here to have one of our own.
But our service is made for finding web vulnerabilities, how come we need a Disclosure program? Well. Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we’ll thank you with some cool stuff and a place at our hall of fame page.
So how does the reporting process work? It’s a 5 step process:
- A researcher sends a mail using the correct template to firstname.lastname@example.org
- The researcher will get an automatic response confirming that we have acquired the issue
- A support case is automatically created
- The person assigned to the support case responds to the researcher, verifying the issue
- The issue is patched and the researcher is showered in eternal
What bugs are eligible? Any typical web security bugs such as:
- Cross-site Scripting
- Open redirect
- Cross-site request forgery
- File inclusion
- Authentication bypass
- Server-side code execution
What bugs are NOT eligible? Any typical low impact/too high complexity such as:
- Missing Cookie flags on non-session cookies or 3rd party cookies
- Logout CSRF
- Social engineering
- Denial of service
- SSL BEAST/CRIME/etc
So what are you waiting for?