Whitehat

Responsible Disclosure & Bug Bounty

Vulnerabilities & Bugs

At Accredible we take security very seriously and recognise the value external security researchers can bring to the overall security of Accredible’s solution. If you believe that you have found a security vulnerability on Accredible, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Before reporting, please review this page including the process and exceptions sections.

We have given out rewards for reported bugs and vulnerabilities but these are discretionary and provided on a case by case basis. Our typical reward is between $50 and $500 USD.

How to Submit an issue

  • Read these guidelines, ensuring that you follow the process and your issue is in scope.
  • Submit the issue via email to security@accredible.com

Bug Bounty Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team.

Depending upon the severity of your issue, it may take us time to respond to you, please do not contact our staff directly but use the above email contact method instead.

  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.
  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. (Accredible determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.)
  • Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Accredible ultimately determines the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.
  • Report a security bug involving one of the products or services that are within the scope of the programme; we specifically exclude certain types of potential security issues, listed under “Program Exclusions” below. 
  • We may retain any communications about security issues that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Stored Injection Vulnerabilities
  • Directory Traversal
  • Information Disclosure
  • Significant Security Misconfiguration (please follow best practice when reporting subdomain takeovers)

Note that third-party applications or websites not owned or controlled by Accredible are not within the scope of the program.

To receive credit, you must be the first reporter of a vulnerability. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.

Program Exclusions

While we encourage any submission affecting the security of an Accredible web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

  • Wordpress Configuration or features (www.accredible.com)
  • Content spoofing / text injection
  • Self-XSS [to be valid, cross-site scripting issues must be exploitable via reflected, stored or DOM-based attacks]
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Cross-site tracing (XST)
  • Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)
  • Missing HTTP security headers
  • Missing cookie flags on non-sensitive cookies
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • SSL/TLS best practices
  • Clickjacking/UI redressing with no practical security impact
  • Software version disclosure
  • Username / email enumeration via Login Page or Forgot Password Page error messages
  • Methods to extend product trial periods.
  • EXIF Geolocation Data
  • DMARC Configuration

Terms & Conditions

For you to participate in the programme, we ask that:

  • You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
  • You do not exploit a security issue that you discover for any reason.
  • You do not violate any other applicable laws or regulations.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorised access to data.
  • If you inadvertently access another person's data or Accredible company data without authorisation while investigating an issue, you must promptly cease any activity that might result in further access of user or Accredible company data and notify Accredible what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbour Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report that you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
  • Not be employed by or a contractor/vendor of Accredible or its subsidiaries or affiliates, or be an immediate family member of a person employed by Accredible or its subsidiaries or affiliates (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
  • Not be less than 18 years of age - if you are at least 18 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.

Please send all reports to: security@accredible.com. Please note that we receive a high volume of reports, therefore we can only reply to the first reporter of a significant issue. Any reward payments will be made by PayPal with no exceptions or alternatives provided.