BetaAll features free!

Responsible Disclosure Policy

This page is for security researchers interested in reporting application security vulnerabilities.

If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, Hockey512 will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to Hockey512 contact page.

Typical Vulnerabilities Accepted:

OWASP Top 10 vulnerability categories
Other vulnerabilities with demonstrated impact

Typical Out of Scope:

Theoretical vulnerabilities
Informational disclosure of non-sensitive data
Low impact session management issues
Self XSS (user defined payload)

Responsible Disclosure Guidelines:

Adhere to all legal terms and conditions outlined at responsibledisclosure.com
Work directly with ResponsibleDisclosure.com on vulnerability submissions
Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
Do not engage in social engineering or phishing of customers or employees
Do not request compensation for time and materials or vulnerabilities discovered

Scope and ROE

Rules of Engagement

No Denial of Service testing
No Physical or Social Engineering
No testing of Third-party Services
No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
All attack payload data must use professional language
If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn't identify the client.

Low Impact Vulnerabilities - Out of Scope

The following vulnerabilities are considered too low of an impact to the client and would be marked as Out of Scope if submitted:

Google Maps API Keys
Account/e-mail enumeration using brute-force attacks
Valid user account/email enumeration not requiring brute-force will be considered
Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change log out, etc.)
Bypassing content restrictions in uploading a file without proving the file was received
Clickjacking/UI redressing
Client-side application/browser autocomplete or saved password/credentials
Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
Directory structure enumeration (unless the fact reveals exceptionally useful information)
Incomplete or missing SPF/DMARC/DKIM records
Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate limiting protections
Account compromises (especially admin) as a result of these issues will likely be considered VALID
Lack of SSL or Mixed content
Leaking Session Cookies, User Credentials, or other sensitive data will be reviewed on a case by case basis
If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
Login/Logout/Unauthenticated/Low-impact CSRF
CSRF Vulnerabilities may be acceptable if they are of higher impact. Examples of low impact CSRF include: Add/Delete from Cart, Add/remove wishlist/favorites, Nonsevere preference options, etc.
Low impact Information disclosures (including Software version disclosure)
Missing Cookie flags
Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
Reflected file download attacks (RFD)
Self-exploitation (i.e. password reset links or cookie reuse)
SSL/TLS best practices that do not contain a fully functional proof of concept
URL/Open Redirection
Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
Valid bugs or best practice issues that are not directly related to the security posture of the client
Vulnerabilities affecting users of outdated browsers, plugins or platforms
Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
Self-XSS for a Persistent/Stored XSS will be considered. The only circumstances under which we will not require proof of impact to multiple users is for Persistent/Stored XSS in cases where only one set of credentials is available to the researcher and other users cannot be tested. We will require documentation or evidence reasonably proving the functionality is available to other users/backend team/admin for the report to be considered.
Any type of XSS that requires a victim to press an unlikely key combination is NOT in scope (i.e. alt+shift+x for payload execution)

Additional specific vulnerability types considered out of scope due to low impact:

IIS Tilde File and Directory Disclosure
SSH Username Enumeration
Wordpress Username Enumeration
SSL Weak Ciphers/ POODLE / Heartbleed
CSV Injection
PHP Info
Server-Status if it does not reveal sensitive information
Snoop Info Disclosures

4 Upcoming