Does Radar have a bug bounty or responsible disclosure program?Last Updated: June 26, 2020
If you believe you have discovered a bug in Radar's security, please contact us at email@example.com. By submitting a report, you acknowledge understanding of, and agreement to, the Vulnerability Disclosure Policy as detailed below.
We request that you do not publicly disclose the issue. The team will review your report to ensure compliance with our Vulnerability Disclosure Policy. Submissions should include a CVSS. Submissions without a score will be based against our SLA and assigned a CVSS score and responses will be based appropriately. If your report is determined to be out-of-scope, it will be closed without action.
We will provide a status update once we have validated the report and if we have decided to move forward. Please NOTE that contacting our team to inquire about status/updates of a submission will disqualify you from receiving a bounty for that report. This includes posting on social media regarding a bounty submission.
We operate a reward program for responsibly disclosed vulnerabilities. A reward may be provided for the disclosure of qualifying bugs, depending on severity. Radar rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our clients' or our clients' end users' data.
As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other clients' or end users' data. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Radar itself and all services offered by Radar are eligible, vulnerabilities in third-party applications that use Radar are not.
As with most security reward programs, there are some restrictions:
- We will only reward the first person to responsibly disclose a bug to us. We will review duplicate bugs to see if they provide additional information, but otherwise issues reported only reward the first reporter.
- Automated testing is not permitted.
- Any bugs that are publicly disclosed will not be rewarded.
- Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time.
- Your testing must not violate any laws.
- We cannot provide you a reward if it would be illegal for us to do so.
Excluded Submissions. The following bugs are not eligible for a bounty:
- Scanner output or scanner-generated reports or video submissions
- Submissions without an accompanying proof-of-concept demonstrating vulnerability or theoretical concepts.
- Parameter Pollution without side effects.
- Issues found through automated testing.
- Publicly-released bugs in internet software within 15 days of their disclosure
- Advisory, Informational and best practice reports that do not include any radar-specific testing or context will be closed
- Denial of Service attacks, Brute-force, rate limit abuse/Bypass. Password complexity/length.
- Spam, Phishing or Social Engineering techniques, including SPF, DMARC and DKIM issues.
- Content Spoofing, IP address discovery.
- Version number information disclosure.
- Email/SMS flooding attacks.
- Clickjacking and the issues exploited only by clickjacking.
- CSRF-able actions that do not require authentication (or a session) to exploit.
- Reports related to the following security-related headers:
- Strict Transport Security (HSTS)
- XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- X-Forwarded-For spoofing
- Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)