Security

I appreciate the efforts of fellow security researchers and provide secure means for disclosing security vulnerabilities responsibly. As a reward, I will feature in the hall of fame the name, handle (e.g. Twitter) and/or website of the reporter of any valid vulnerability. Additional rewards are at my discretion.

Rules and Scope

A positive outcome of the validation of a submitted vulnerability can only be achieved if the following rules and scope are respected by the researcher.

Rules

The researcher shall not:

  • Use of automated tools to find vulnerabilities.
  • Conduct non-technical attacks (e.g. social engineering, phishing, etc.).
  • Perform any attack to systems that aren’t listed under the scope section.
  • Perform any attack that could harm the reliability or integrity of target systems (e.g. denial of service, spam, etc.).

The researcher shall:

  • Respect responsible disclosure principles independently of the time taken to validate the report.
  • If it is noticeable any performance degradation of the target systems, all testing must be immediately suspended.

Vulnerabilities report will be accepted as long as:

  • Any materials related with the vulnerability aren’t hosted on a public platform (e.g. YouTube) without prior consent.
  • Hasn’t already been submitted by another researcher, or it isn’t already known.
  • The risk represented by the vulnerability isn’t considered acceptable.
  • The affected systems are in scope as defined bellow.

Scope

Any system that can be reached through a serializing.me (sub-)domain, with the notable exception of www.serializing.me that is hosted by GitHub, are in scope. Also take into account that the following vulnerabilities types are specifically excluded:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting or banner disclosure on common/public services.
  • Disclosure of known public files or directories (e.g. robots.txt, etc.)
  • Clickjacking and issues only exploitable through clickjacking.
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies.
  • Lack of security speedbump when leaving the website.
  • OPTIONS HTTP method enabled.
  • Missing HTTP security headers (e.g. Strict-Transport-Security, X-Frame-Options, etc.)
  • TLS issues and attacks (e.g. BEAST, BREACH, forward secrecy not enabled, etc.)

How to Report

Please contact me using the GPG/PGP key as shown in the contact page.

Hall of Fame

Below is a list of security researchers, white hat hackers, and bug bounty hunters who have contributed to the security of my digital estate. This page is to provide recognition, to say thank you!

  • Jayesh Patel reported a HTTP Host Header Injection (Bugcrowd)