Whitehat

Responsible Disclosure & Bug Bounty

Vulnerabilities & Bugs

At Accredible we take security very seriously. If you believe that you have found a security vulnerability on Accredible, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem.

We have given out rewards for reported bugs and vulnerabilities but these are discretionary and provided on a case by case basis. Our typical reward is between $50 and $500 USD.

How to Submit an issue

  • Read these guidelines, ensuring that you follow the process and your issue is in scope.
  • Submit the issue via email to security@accredible.com

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.

Depending upon the severity of your issue, it may take us time to respond to you.

  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.
  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Stored Injection Vulnerabilities
  • Directory Traversal
  • Information Disclosure
  • Significant Security Misconfiguration (please follow best practice when reporting subdomain takeovers)

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Program Exclusions

While we encourage any submission affecting the security of an Accredible web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

  • Wordpress Configuration or features (www.accredible.com)
  • Content spoofing / text injection
  • Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Cross-site tracing (XST)
  • Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)
  • Missing HTTP security headers
  • Missing cookie flags on non-sensitive cookies
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • SSL/TLS best practices
  • Clickjacking/UI redressing with no practical security impact
  • Software version disclosure
  • Username / email enumeration via Login Page or Forgot Password Page error messages
  • Methods to extend product trial periods.

Terms & Conditions

We ask that:

  • You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue that you discover for any reason.
  • You do not violate any other applicable laws or regulations.

Please send all reports to: security@accredible.com. Please note that we receive a high volume of reports, therefore we can only reply to the first reporter of a significant issue. Any reward payments will be made by PayPal, so please do not submit a report with an expectation of payment unless you can accept PayPal.