Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
58 lines (45 sloc) 2.3 KB

Please note that this program does not offer rewards for bug submissions as JamieWeb is just a small personal project.

This disclosure program is limited to assets in the scope found at the bottom of this page.

Things To Look For

  • Web application vulnerabilities (Command Injection, SSRF, CSRF, XSS, etc)
  • Security misconfigurations
  • Suggested security improvements
  • Information leakage
  • Multi-byte/binary exploitation
  • Tor Hidden Service de-anonymization
  • Security header configurations
  • Content Security Policy (CSP) bypass
  • DNS record configuration (SPF, DKIM, DMARC, CAA, etc)
  • TLS configuration
  • Code security audit/review
  • Software that is more than 24 hours out of date
  • Etc...

Feel free to use automated tools as long as you do not cause network/service disruption for me or third-parties.

Testing must not cause issues for other organisations such as hosting providers, network operators or ISPs.

Disclosure Policy

  • Let me know of any potential vulnerabilities as soon as possible and I will make every effort to resolve the issue quickly.
  • Share with me the full details of any vulnerability including steps to reproduce if applicable.
  • Provide me a reasonable amount of time to fix the issue before disclosure to the public or a third-party.
  • Try to avoid degradation of service, destruction of data or privacy violations.

I will make every effort to abide by HackerOne's disclosure guidelines: https://hackerone.com/disclosure-guidelines

Exclusions

While researching, please do not attempt the following:

  • Denial of service (DoS)
  • Spamming
  • Phishing
  • Spoofing or hijacking
  • Man in the Middle (MiTM) or interception
  • Attacks which require physical presence on the network of a user
  • Domain name hijacking or theft
  • Account hijacking or theft
  • Cybersquatting
  • Social engineering
  • Physical/real-life attacks
  • Anything that could falsely lower the reputation of me or my website
  • Anything that could falsely get me in trouble
  • Attacks on 3rd-party systems that are out of my general control

Rewards

Please note that this program does not provide monetary rewards for bug submissions.

Researchers who submit non-issues, false issues or purely opinion-based issues may not be thanked publicly.

Thank you for helping keep JamieWeb safe!