Responsible Disclosure
Although our service focuses on finding vulnerabilities across your attack surface, we are not naive enough to think that our own applications are 100% flawless. We take security issues seriously and respond swiftly to fix verifiable security issues.
We encourage anyone to report security issues to disclosure@detectify.com.
Currently, our program focuses on responsible disclosure and not monetary rewards or bounties. While we don’t offer financial compensation, we greatly value your contribution. If you seek monetary reward for your research, please check out our Crowdsource community.
Who can participate in the program?
Anyone who doesn't work for Detectify or partners of Detectify who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated.
How should reports be formatted?
We would like you to format your reports like this:
Name: %name
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc
Which domains are in scope?
In scope:
- *.detectify.com
Out of scope:
- blog.detectify.com
- labs.detectify.com
- career.detectify.com
- support.detectify.com
- changes.detectify.com
- stories.detectify.com
However, if you can prove that a bug under these domains has a significant impact (for example, fetching content on detectify.com from blog.detectify.com), a bug on these domains may qualify anyway.
What bugs are eligible?
Any typical web security bugs such as:
Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution
What bugs are NOT eligible?
Disruptive bugs or bugs with no/low impact or likelihood such as:
Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
Social engineering
Denial of service
Weak TLS ciphers
Email spoofing, SPF, DMARC & DKIM
Brute force attacks
Password policy improvements
Hardening tips (such as missing CSP header or SRI attribute)
Other guidelines
Please don't perform research that could impact other users. Secondly, please keep the reports concise. If we fail to understand the logic of your bug, we will tell you.
Detectify reserves the right to discontinue the program without previous notice at any time.