Responsible Disclosure Policy

We appreciate your help with disclosing security vulnerabilities and offer a reward to the first person that reports a vulnerability.

Respect other Users and their Privacy

When investigating vulnerabilities, please act in good faith and respect the data privacy of other users as well as the service availability of CodeScene. Many people use CodeScene on a daily basis for their work, and it’s harmful -- and illegal -- to disrupt their usage of CodeScene.

Out of Scope

The scope of the bug bounty program is codescene.io. Our other websites, including codescene.com, are out of scope.

Details and findings that are specifically excluded from the bounty

  • Large quantities of requests (automatic scanners, scripts, etc.) that could potentially affect the website's availability are prohibited and excluded from the scope of the bounty program. This includes but is not limited to any type of DOS-style attack, as well as testing rate-limits.
  • SPF records
  • DMARC records
  • DNSSEC
  • Missing Content-Security-Policy header
  • Missing Certificate Authority Authorization
  • Lack of password prompt in the 'Account Delete' feature
  • X-XSS-Protection set to "1; mode=block"
  • MISC "informational" findings including:
    • Missing Referrer-Policy header
    • Virtual Host Discovered
    • Links With High Resource Consumption
    • Third-party Cookies Collected

Report a Vulnerability

Please let us know if you believe you have discovered a security vulnerability or have detected an incident. You report such vulnerabilities to CodeScene Security Team .

Include a detailed description of the vulnerability, together with steps on how to reproduce it. Please make sure to provide an e-mail address where we can reach you, both for more information as well as for sending your reward.

Rewards for Vulnerability Reports

If you’re the first person to report a valid security vulnerability, you’re eligible for a reward. The rewards involve public credits for your discovery (published on our webpage after your consent), as well as coupons that give you free use of the commercial plans in CodeScene. The value and duration of those coupons varies depending on your findings and quality of the report you provide.

Thanks for reading, and thanks for helping us make CodeScene a better service for everyone!

Credits

We'd like to thank the following people for reporting security vulnerabilities and improvements:

  • Suraj Dodiya reported an SPF vulnerability (fixed).
  • Suraj Dodiya reported a ClickJacking vulnerability on codescene.com (fixed).
  • Dankel Ahmed reported missing Content-Security-Policy header
  • Jessica Sachs for detecting a platform vulnerability (fixed)
  • Ratnadip Gajbhiye for reporting leakage of http server version (fixed)
  • Ayush Oberoi for detecting a cookie consent issue (fixed)
  • Shankar Acharya from Eminence Ways Pvt. Ltd for reporting a vulnerable social site account (fixed)
  • Munimadugu Somasekhar for reporting internal software/service vulnerability (using outdated version - fixed).
  • Siddhesh Joshi for reporting a DNS-related improvement
  • Kartik Khurana for reporting a broken link on the Responsible Disclosure Policy page (fixed)
  • Bikram Kharal for reporting possible accidental exposure of private account names (fixed)
  • Sharan K for reporting Parameter Tampering.(fixed)
  • Nikhil Rane for reporting a problem with logout
  • Shailendra Singh Sachan - cookie-related improvements
  • Lakshit Sharma - rate limiting
  • Sasi Kumar - rate limiting
  • Akshay Zambre for reporting a couple of vulnerabilities in the on-premise product (fixed)
  • Vishal Soni for reporting Open Redirect vulnerability (fixed)
  • Niraj Mahajan for reporting Open Redirect Bypass (fixed)
  • Mangesh Muley for reporting Dangling CNAME (fixed)