Issue
I found a security vulnerability on your site and I would like to report it.
Possible solution
Please read the details of our bug bounty program below and send according the submission process.
The following findings are specifically non-rewardable within this program:
via Login Page error message
via Forgot Password error message
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
Self XSS
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting/banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Clickjacking and issues only exploitable through clickjacking
CSRF on forms that are available to anonymous users
Logout Cross-Site Request Forgery (logout CSRF)
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Lack of Secure and HTTPOnly cookie flags
Weak Captcha/Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced
OPTIONS HTTP method enabled
HTTPS Mixed Content Scripts
Username / email enumeration
Missing HTTP security headers, e.g.:
Misconfigured or lack of SPF/DKIM records
Out of date software versions
Vulnerabilities in third-party components
Bugs that require phishing
Lack of server-side session handling
User spamming through Forgot Password feature
Qualification Criteria
The program covers any exploitable vulnerability that can compromise the integrity of our customer’s data, can crash applications, or that discloses sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft, or bypass).
Make sure your submission report includes the proof of concept and replicationinformation.
Non-qualifying vulnerabilities
Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps needed to accomplish the compromise.
Submission process
Please send your reports directly to the Bitrise Security Team ([email protected]). Do not submit as a support ticket! This will ensure your report reaches us directly and we can respond sooner.
We encourage you to send your submissions in an encrypted format (we prefer PGP). Our public key can be downloaded from here: Bitrise Security (94BE527F) – Public.asc
If you found multiple vulnerabilities, please send them in separate emails.
Make sure your report includes:
A clear and relevant title
Affected product/service
Vulnerability details and impact
Reproduction steps / Proof of Concept
Rewards
Please keep in mind that we are not able to give any cash or swag rewards for bug bounty submissions.