This program is focused on vulnerabilities in IronCore Labs’ developer APIs and SDK.
- Developer API vulnerabilities.
- Unauthenticated access to users’ accounts / information, especially PII (Personally Identifiable Information).
- Encryption issues not including side-channel issues in the SDK. Documentation can be found at:https://ironcorelabs.com/docs
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
Out-of-Scope and Vulnerability Exclusions
IronCore’s Main Website:
*Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com
, or on domains that are not listed in the Targets section are considered out of scope
and are not eligible for IronCore’s bug bounty program.*
- Service disruptions
- Physical attacks, social engineering attacks, and phishing attacks of any kind.
- 3rd party systems and solutions (any resource / service not managed by IronCore Labs).
- Spam or any other mass distribution to customers, partners, etc.
- Customer support channels (chat, phone, email, etc.)
- Security reports that don’t pertain to IronCore Labs. If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
- Flaws specific to out of date browsers/plugins.
- Browser functions controlled by the client, such as if a vulnerability is found in a specific implementation of the Web Crypto API.
- Malicious code running on a host site
- Malicious code running in a browser plugin
- Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
- Cross-site request forgery.
- Clickjacking, as well as any issues only exploitable through clickjacking.
- Lack of the Secure flag on non-sensitive cookies.
- Cross-site Request Forgery issues submitted with a proof-of-concept containing a nonce.
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof of concept code or a demonstrated exploit.
- Descriptive error messages.
- HTTP 404 or other HTTP error codes/ pages.
- Disclosure of known public files or directories, e.g. robots.txt.
- Spelling errors, UI and UX bugs.
- Reports of missing SPF records for domains with no MX record