Submit a vulnerability report
Only original, previously unreported bugs will be qualified for credit. Bugs are limited to currently supported browser versions and must be reproducible. Please include the exact input data and the operation used. Please do not run automated scans with applications such as BurpSuite. If we see submissions from anyone we've found to scan the system, this will be considered a DDoS attack and will be marked invalid.
Only submit one issue per ticket.
The following will not qualify for the program:
- Banner/version disclosure
- Username enumeration
- Issues found through use of automated tools must not be a simple copy/paste of the result (example: sending an ssllabs.com URL with the mailchimp.com domain.). A PoC and detailed description on how it can affect a user's data or The Rocket Science Group's data/infrastructure need to be included.
- Previously reported bugs
- Bugs that rely on impractical user action. (example: having a user type out an XSS payload into a particular field)
- Issues that cannot be reproduced
- DDoS attacks
- CRIME/BEAST attacks
- Social Engineering
- Brute force password cracking
- Bugs specific to unsupported browsers/plugins
- Signup/Login/Logout cross-site request forgery
- URL redirection
- Attacks mitigated by HSTS (HTTP Strict Transport Security)
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
- Please note, when researching for a vulnerability, only use accounts you own. Do not attempt to use another user's account. The Rocket Science Group reserves the right to turn down any report it finds invalid and revise or cancel the program at any time.
All research must not violate any law, or disrupt or compromise any data that is not your own.