Because we appreciate the interest of our community members in the security of our systems, we have created a program to allow community members to probe our systems for certain weaknesses, and to receive an award for the discovery of those weaknesses.
If you comply with the following rules and act in good faith, we will respond as quickly as possible to fix vulnerabilities, will keep you updated on the progress, and will not take legal action against you.
- Don't attempt to access the account or data of another attendee/user; use a test user.
- Don’t perform any attack that could harm the reliability/integrity of our services or data, or which could interfere with others' use of our systems or programs. DDoS/spam attacks are not allowed.
- Don’t publicly disclose a bug before it has been fixed.
Only test for vulnerabilities on sites which are directly operated by us. Some sites are operated by
third-parties and have their own security vulnerability reporting rules. The following sites are
directly operated by us:
- Don’t use scanners or automated tools to find vulnerabilities.
- Never attempt physical attacks.
As a small non-profit, we don't have the ability to award cash grants, but do offer the following:
- Minor vulnerabilities, including those which could lead to small-scale data corruption, minor financial losses, or leaking of non-identifying data: free admission to srnd.org events for 1 year.
- Major vulnerabilities, including those which could lead to large-scale data corruption, major financial losses, or leaking of any customer data or PII: free admission to srnd.org events for life. Plus: we'll buy you ice cream at every srnd.org event you attend.
We have final discretion as to what reward, if any, a disclosure qualifies for. Free admission only applies to events you are otherwise eligible to attend, and you may still be removed or banned from participation for violations of rules or the code of conduct. Free admission does not include indirect costs, like transportation.
- Vulnerabilities requiring non-current or unusual versions of web browsers.
- Vulnerabilities requiring unlikely user interaction.
- Vulnerabilities which only prove the existence of a resource.
- Vulnerabilities which reveal information which is already public or which poses no significant risk.
- Vulnerabilities which have already been submitted by another user.
- Vulnerabilities in services we don't directly operate.
- Brute-force attacks.
We promise not to take any legal action against you only if you abide by the rules of this program, including requirements for what data you access and what rewards are available. If you take actions outside this program, particularly if in bad faith, we may contact law enforcement.