If you have found a vulnerability in TestMonitor, we encourage you to submit your report to us as soon as possible and to not make the vulnerability public until it has been fixed and verified by TestMonitor.
While we greatly appreciate vulnerability disclosures from the community, no compensation will be given.
TestMonitor will not file a lawsuit against you or report you to law enforcement assuming the vulnerability was reported responsibly and that it meets the following criteria.
- Notify TestMonitor of the vulnerability and provide all of the details available to you.
- Please provide enough detail to be able to fully identify and reproduce the issue, which may include the product, version, URL, requests/responses, screenshots, etc.
- Provide TestMonitor with a reasonable time period to fix or address the issue before publicly disclosing.
- In your research, please avoid any possible service disruption, accessing private user data, or destroying user data.
- Do not submit reports from automated exploit scanning tools without first confirming the issue is in fact present.
- Do not contact TestMonitor employees or users for the purpose of phishing or social engineering.
Categories to Look for Vulnerabilities
We are primarily interested in hearing about the following vulnerability categories:
We encourage you to look for vulnerabilities in the following areas:
- SQL Injection
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Authentication Bypass
- Insecure Direct Object References
- Remote Code Execution
- Sensitive Data Exposure
Internal processes, security and data transfers
A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. We have added elements to our application development cycle to build features in accordance with the principles of Privacy by Design. Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.
Vulnerability Categories that are Out of Scope
The following categories are considered out of scope and should not be explored during your vulnerability research:
- Denial of Service (DoS)
- SSL vulnerabilities (i.e. misconfiguration or version)
- Brute force attacks
- User enumeration
- Misconfigured flags on non-sensitive cookies
- Logout CSRF
- Issues only present in deprecated browsers or plugins
- Clickjacking on pages without authentication and/or sensitive state changes
- Vulnerabilities that require users to perform highly unlikely actions (i.e. disabling browser security features, sending an attacker critical info, etc.)
How to Report Vulnerabilities
Please send your report (including meta data) to firstname.lastname@example.org
Please note that even tough we highly appreciate your effort, No compensation may be expected as only critical vulnerabilities are eligible for a compensation.