Bug Bounty Program
At IronCore Labs, the security of data is at the very core of our mission, and we want to know about any vulnerability that could be a threat to that security.
Our Bug Bounty Program is designed to reward people like you who follow responsible disclosure principles by reaching out to us when you’ve identified a vulnerability which would impact the security of our platform or our customers.
To participate you need to follow the simple guidelines below. We may, at our discretion, have to delete and block test accounts that are found to be abusing our testing guidelines.
Who can participate?
Anyone who doesn’t work for IronCore Labs or our partners is eligible for a bounty, but anyone can submit an issue to us as part of responsible disclosure practices.
The following targets are considered in scope:
- recrypt-rs: transform encryption library: may be downloaded here*.
- SDK: may be downloaded here**.
* Note that github.com is NOT in scope.
** Note that npmjs.com is NOT in scope.
Important: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or not included in the list above, are considered out of scope for this bug bounty program. Hubspot and other non-IronCore properties are also out-of-scope.
This program is focused on vulnerabilities in IronCore Labs' developer APIs and SDK.
- Developer API vulnerabilities.
- Unauthenticated access to users' accounts / information, especially PII (Personally Identifiable Information).
- Encryption issues not including side-channel issues in the SDK. Documentation can be found at: https://ironcorelabs.com/docs
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
IronCore’s Main Website: *Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or on domains that are not listed in the Targets section are considered out of scope and are not eligible for IronCore’s bug bounty program.*
- Service disruptions
- Physical attacks, social engineering attacks, and phishing attacks of any kind.
- 3rd party systems and solutions (any resource / service not managed by IronCore Labs).
- Spam or any other mass distribution to customers, partners, etc.
- Customer support channels (chat, phone, email, etc.)
- Security reports that don’t pertain to IronCore Labs. If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
- Flaws specific to out of date browsers/plugins.
- Browser functions controlled by the client, such as if a vulnerability is found in a specific implementation of the Web Crypto API.
- Malicious code running on a host site
- Malicious code running in a browser plugin
- Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
- Cross-site request forgery.
- Clickjacking, as well as any issues only exploitable through clickjacking.
- Lack of the Secure flag on non-sensitive cookies.
- Lack of subresource integrity tags.
- Cross-site Request Forgery issues submitted with a proof-of-concept containing a nonce.
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof of concept code or a demonstrated exploit.
- Descriptive error messages.
- HTTP 404 or other HTTP error codes/ pages.
- Disclosure of known public files or directories, e.g. robots.txt.
- Spelling errors, UI and UX bugs.
- Reports of missing SPF records for domains with no MX record
How to submit?
To disclose an issue for our bug bounty program, please fill out the form. We will respond by email to your form submission. If you have more information to disclose or files to attach, you can respond to the email you receive with the additional items.
Before submitting, please review the guidelines, scope, and other information below to understand what you should and shouldn’t do and what is eligible or not eligible for a bounty.
- Vulnerability reports MUST have a proof of concept or detailed step-by-step explanation of the security issue so we can reproduce it.
- Please check the Scope section for a list of which systems and classes of vulnerabilities are accepted.
- IronCore awards larger bounties for higher quality reports that include reproduction steps and the impact on users.
- We encourage researchers to include screenshots or video in their bug submissions that demonstrate the bug in action. These screenshots or video cannot be uploaded to public locations such as public Youtube videos. We can provide ways to share large files securely if needed. Just email us.
- Include your recommendations to resolve reported issues, if any.
- We do not respond to extortion or abusive or threatening language.
- Research in good faith.
- Don’t leave any system that you are accessing in a worse state than when you found it.
- We need to be able to contact researchers for additional information. If seven days elapses with no response after we contact you, we may close a submission, making you ineligible for reward.
- Never publicly disclose customer information. This is a hunt for bugs, not for customer data. If you find a way to access customer information while you are researching, please stop and report it to our bug bounty team. Continuing is not authorized, and you are not authorized to copy, store, transfer, or disclose customer information in any way.
- Only publicly disclose a vulnerability with our specific consent. (See Disclosure below for more details.)
- Please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
- Please don’t create an excessive number of accounts for testing.
- Avoid using site-wide scanners. Researchers who wish to should be using targeted scanning tools in order to prevent affecting the production environment. If you notice any performance degradation with your use of targeted scanning tools, you must stop using them.
- Be mindful with the rate and scope of automated scanning tools.
- Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures.
- Because of US Government restrictions, researchers working from Iran, North Korea, Syria, Sudan, or Cuba are not eligible to participate in the IronCore Labs Bug Bounty Program.
- You must be at least 18 years of age to participate in the IronCore Labs Bug Bounty program.
We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their SDK versions.
Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the IronCore Labs Bug Bounty Program.
This program uses the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Submitting a bug can qualify for a reward if you were the first researcher to alert us to a previously unknown issue, and the issue triggers a code or configuration change.
IronCore Labs pays rewards using PayPal.
IronCore Labs will be rewarding researchers with T-shirts for submission of a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. IronCore Labs will make a best effort (but no guarantee) to get qualifying researchers their swag. Sadly, it is very difficult to ship packages to some places in the world.
IronCore Labs reserves the right to modify terms and conditions of the IronCore Labs Bug Bounty Program, or to cancel this program at any time. Your participation in the program constitutes acceptance of all terms. Any changes to this page are effective as of the time of posting.
Updates to this page
- October 8, 2018 added Exclusion: “Reports of missing SPF records for domains with no MX record”