I appreciate the efforts of fellow security researchers and provide secure means for disclosing security vulnerabilities responsibly. As a reward, I will feature in the hall of fame the name, handle (e.g. Twitter) and/or website of the reporter of any valid vulnerability. Additional rewards are at my discretion.
Scope and Rules
A positive outcome of the validation of a submited vulnerability can only be achieved if the following rules and scope are respected by the researcher.
The researcher shall not:
- Use of automated tools to find vulnerabilities.
- Conduct non-technical attacks (e.g. social engineering, phishing, etc.).
- Perform any attack to systems that aren’t listed under the scope section.
- Perform any attack that could harm the reliability or integrity of target systems (e.g. denial of service, spam, etc.).
The researcher shall:
- Respect responsible disclosure principles independently of the time taken to validate the report.
- If it is noticeable any performance degradation of the target systems, all testing must be immediately suspended.
Vulnerabilities report will be accepted as long as:
- Any materials related with the vulnerability aren’t hosted on a public platform (e.g. YouTube) without prior consent.
- Hasn’t already been submitted by another researcher, or it isn’t already known.
- The risk represented by the vulnerability isn’t considered acceptable.
- The affected systems are in scope as defined bellow.
Any system that can be reached through a
serializing.me domain and subdomains, taking into account that the following vulnerabilities types are specifically excluded:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting or banner disclosure on common/public services.
- Disclosure of known public files or directories (e.g. robots.txt, etc.)
- Clickjacking and issues only exploitable through clickjacking.
- Lack of Secure/HTTPOnly flags on non-sensitive cookies.
- Lack of security speedbump when leaving the website.
- OPTIONS HTTP method enabled.
- Missing HTTP security headers (e.g. Strict-Transport-Security, X-Frame-Options, etc.)
- TLS issues and attacks (e.g. BEAST, BREACH, forward secrecy not enabled, etc.)
How to Report
Please contact me using the GPG/PGP key as shown in the contact page.