Responsible Disclosure Policy, planting the seeds, reaping the benefits

"Bounty" Hunter - A CC NC SA image by Pedro Vezini
In December last year we first published our responsible disclosure policy, modeled after the work of Floor Terra and by now it is time to give an overview of our experiences and give some overdue credit.

So first of all the major question: is responsible disclosure working for us?

Yes it is! Our responsible disclosure program has directed a lot of eyes to towards our infrastructures which spotted a lot of tiny details we would have otherwise missed. While we regularly scan our own infrastructure using automated tools, there are things a human will spot, but a scanner will miss. Having more eyes on the infrastructure means these irregularities are spotted too.

So it there no down-side ? Obviously there is, each and every report needs to be investigated handled with proper care, especially since the people reporting issues to us are doing this out of their own free will. Also some of the reports are not as clear as you would get them from a professional tester and sometime dead wrong, hence the need for further investigation. We also found out that shipping t-shirts and other swag worldwide is not always as easy as you may think.

Overall we did become more secure and definitely caught vulnerabilities that would have otherwise slipped through the net.

We would like to pass a special thanks to Bug Crowd for maintaining a list of bug bounty programs, being on this list really promoted our program.

So now for the list of results and credits

May 2013
  • Cross Site Scripting vulnerability (XSS) in discovered by an anonymous researcher rewarded with a t-shirt
  • XSS in discovered by an anonymous researcher rewarded with a t-shirt

June 2013
  • XSS in discovered by Florindarck of Romanian Security Team rewarded with a t-shirt

July 2013
  • Clickjacking vulnerability on SSL VPN device discovered by Surya Kumar rewarded with a t-shirt
  • XSS in via flash discovered by Darius Petrescu and (akkiliON) rewarded with a t-shirt
  • Information disclosure via error page discovered by Atul Shedage rewarded with a € 100,- donation to Room to Read
  • Insecure SSL renegotiation on SSL VPN and missing cross domain policy on discovered by Harsha Vardhan Bappana
  • Clickjacking vulnerability in discovered by Tushar Kumbhare of Defencely rewared with a € 100,- donation to Room to Read
  • XSS in discovered by SimranJeet Singh rewarded with a t-shirt
  • Clickjacking vulnerability in discovered by Javid Hussain rewarded with t-shirt
  • Clickjacking vulnerability in discovered by Jigar Thakkar of Infobit rewarded with a t-shirt
  • Content spoofing in discovered by Jay Turla rewarded with a t-shirt
  • XSS on discovered by Olivier Beg rewarded with a t-shirt


Floor Terra
It's great to see you giving public credits to the researchers! You are an example for other companies!
Thanks for the mention! Your most welcome re us including you on the list... Glad it has been helpful!

@caseyjohnellis - CEO, Bugcrowd
Yes Love it !
Yes Love it !
lol Yes !

Not Published

0/1000 characters
Go Top