Launching API scanning - left to claim 20% off

Watch a short product walkthrough
Detectify AppSec platform
Solutions by use case
Solutions by industry
  • Technology

    Solve common challenges faced by technology organizations

  • Consumer packaged goods

    Get more visibility and control over your digital products

  • Media & Gaming

    Manage digital transformation and secure what you're hosting in the cloud

  • Public Sector

    For agencies, higher education, and European governments

Start 2-week free trial Start 2-week free trial
Watch a demo Talk to sales
Detectify Crowdsource
  • What is Crowdsource?

    How Detectify customers benefit from our community of elite ethical hackers

  • Meet the community

    Meet some of our ethical hackers who come from all corners of the globe

  • Leaderboard

    See which ethical hackers are leading for the quarter, year, and all time

FOR ETHICAL HACKERS
  • Join Crowdsource

    Ready to join? Solve our Crowdsource Challenge and become part of our community

Start 2-week free trial
Watch a demo Talk to sales
Resource Center
  • All resources

    Explore case studies, webinars, e-books, whitepapers and videos

  • Case studies

    Learn how Detectify is an essential tool in these customer stories

  • Webinars

    Webinars and recordings to level up your AppSec knowledge

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

Trending Topics
Start 2-week free trial
Watch a demo Talk to sales
Products & Solutions Resources Crowdsource Alfred AI Pricing About us
Products & Solutions
Platform overview Surface Monitoring Application Scanning API Scanning
Solutions by use case Attack surface protection Prevent subdomain takeover Scaling organizations Know what apps to scan
Solutions by Industry Technology Consumer packaged goods Media & Gaming Public Sector
Start 2-week free trial
Watch a demo Talk to sales
Crowdsource
Detectify Crowdsource What is Crowdsource? Meet the community Leaderboard
For ethical hackers Ethical hacking with us How Crowdsource works Detectify Labs
Start 2-week free trial
Watch a demo Talk to sales
Resources
Resource Center All resources Case studies Webinars E-books & Whitepapers Events Detectify Blog
Trending Topics External Attack Surface Management Common attack vectors
Start 2-week free trial
Watch a demo Talk to sales

Responsible Disclosure

Although our service focuses on finding vulnerabilities across your attack surface, we are not naive enough to think that our own applications are 100% flawless. We take security issues seriously and respond swiftly to fix verifiable security issues.

We encourage anyone to report security issues to disclosure@detectify.com.

Currently, our program focuses on responsible disclosure and not monetary rewards or bounties. While we don’t offer financial compensation, we greatly value your contribution. If you seek monetary reward for your research, please check out our Crowdsource community.

A graphic of a megaphone

Who can participate in the program?

Anyone who doesn't work for Detectify or partners of Detectify who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated.

How should reports be formatted?

We would like you to format your reports like this:

Name: %name   
Bug type: %bugtype   
Domain: %domain   
Severity: %severity   
URL: %url   
PoC: %poc

Which domains are in scope?

In scope:

  • *.detectify.com

Out of scope:

  • blog.detectify.com
  • labs.detectify.com
  • career.detectify.com
  • support.detectify.com
  • changes.detectify.com
  • stories.detectify.com

However, if you can prove that a bug under these domains has a significant impact (for example, fetching content on detectify.com from blog.detectify.com), a bug on these domains may qualify anyway.

What bugs are eligible?

Any typical web security bugs such as:

Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution

What bugs are NOT eligible?

Disruptive bugs or bugs with no/low impact or likelihood such as:

Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
Social engineering
Denial of service
Weak TLS ciphers
Email spoofing, SPF, DMARC & DKIM
Brute force attacks
Password policy improvements
Hardening tips (such as missing CSP header or SRI attribute)

Other guidelines

Please don't perform research that could impact other users. Secondly, please keep the reports concise. If we fail to understand the logic of your bug, we will tell you.

Detectify reserves the right to discontinue the program without previous notice at any time.