Responsible Disclosure Policy

We appreciate your help with disclosing security vulnerabilities and offer a reward to the first person that reports a vulnerability.

Respect other Users and their Privacy

When investigating vulnerabilities, please act in good faith and respect the data privacy of other users as well as the service availability of CodeScene. Many people use CodeScene on a daily basis for their work, and it’s harmful -- and illegal -- to disrupt their usage of CodeScene.

Out of Scope

The scope of the bug bounty program is codescene.io. Our other websites, including codescene.com, are out of scope.

Details and findings that are specifically excluded from the bounty

  • Large quantities of requests (automatic scanners, scripts, etc.) that could potentially affect the website's availability are prohibited and excluded from the scope of the bounty program. This includes but is not limited to any type of DOS-style attack, as well as testing rate-limits.
  • SPF records
  • DMARC records
  • DNSSEC
  • Missing Content-Security-Policy header
  • Missing Certificate Authority Authorization
  • Lack of password prompt in the 'Account Delete' feature
  • X-XSS-Protection set to "1; mode=block"
  • MISC "informational" findings including:
    • Missing Referrer-Policy header
    • Virtual Host Discovered
    • Links With High Resource Consumption
    • Third-party Cookies Collected

Report a Vulnerability

Please let us know if you believe you have discovered a security vulnerability or have detected an incident. You report such vulnerabilities to CodeScene Security Team .

Include a detailed description of the vulnerability, together with steps on how to reproduce it. Please make sure to provide an e-mail address where we can reach you, both for more information as well as for sending your reward.

Rewards for Vulnerability Reports

If you’re the first person to report a valid security vulnerability, you’re eligible for a reward. The rewards involve public credits for your discovery (published on our webpage after your consent), as well as coupons that give you free use of the commercial plans in CodeScene. The value and duration of those coupons varies depending on your findings and quality of the report you provide.

Thanks for reading, and thanks for helping us make CodeScene a better service for everyone!

Credits

We'd like to thank the following people for reporting security vulnerabilities and improvements:

  • Suraj Dodiya
  • Dankel Ahmed
  • Jessica Sachs
  • Ratnadip Gajbhiye
  • Ayush Oberoi
  • Shankar Acharya
  • Munimadugu Somasekhar
  • Siddhesh Joshi
  • Kartik Khurana
  • Bikram Kharal
  • Sharan K
  • Nikhil Rane
  • Shailendra Singh Sachan
  • Lakshit Sharma
  • Sasi Kumar
  • Akshay Zambre
  • Vishal Soni
  • Niraj Mahajan
  • Mangesh Muley
  • Vaibhav Bhaurao Gaikwad