Responsible Disclosure Policy
As everything in this universe, applications contain flaws and vulnerabilities. If you believe you found a security issue in one of our services, please report it to us after reading our responsible disclosure policy.
What types of vulnerabilities we are interested in:
- Remote Code Execution
- SQL Injection
- Unrestricted File System Access
- Significant Authentication / Authorization Bypass
- Cross-Site Scripting (excluding self-XSS)
- Cross-Site Request Forgery on critical actions (such as changing username/password)
- Any vulnerability that affects our users/servers
Responsible Disclosure Guidelines
While we encourage you to report bugs to us we have some rules too. If you don’t follow it you will be disqualified from our responsible disclosure program:
- Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other 3rd party(a gov, company, person).
- Do not run automated tools on our servers.
- Vulnerability reports received prior to the responsible disclosure program launch are not eligible for the hall of fame and may not be re-submitted for a recognition.
- We may terminate this program at any time without notice.
- Your participation in this program does not create any kind of employment relationship or partnership between you and Earthlink.
- CSRF on forms that are available to anonymous users (e.g. Contact Forms)
- Self-XSS or XSS bugs requiring an unlikely amount of user interaction
- Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Reports of spam, phishing or security best practices
- Email configuration issues (SPF, DKIM, DMARC)
- Weak Captcha / Captcha Bypass
- Forced Login / Logout CSRF
- DDoS/ Dos attacks
- Spreading malware/virus into our network
- Any website related to earthlink
- Any EarthLink mobile apps.
If you read our policy and still believe you found something please reach us at (firstname.lastname@example.org)
What We Promise You
Since our responsible disclosure is still an amateur we will not offer monetary rewards(for now). But we will thank you and add your name to our hall of fame here.
Thank you for helping us to keep our users safe.
Hall of Fame
We would like to thank the following secuirity researcher that help us to keep our users secure:
- Be the First!