Responsible Disclosure
As a security-focused company ourselves, we take security issues very seriously at Fuzzbuzz. If you believe you've found a security vulnerability in Fuzzbuzz we would like to work with you to investigate the issue. We ask that you do not initially disclose your findings publicly, and allow for a reasonable timeframe for us to address your report.
After you have ensured that the vulnerability is in-scope, please send us an email at [email protected]. If you believe your report contains sensitive information, consider encrypting valid parts of the email with our GPG Key.
Reporting a vulnerability
- Include clear written instructions for reproducing the vulnerability in your email to [email protected]
- When reporting vulnerabilities you must keep all information within the email thread. Do not post information to video-sharing or pastebin sites. Images can be sent directly via email.
- For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
- Do not publicly disclose your submission until Fuzzbuzz has evaluated the impact.
Scope
Fuzzbuzz runs a number of services but only submissions under the following domains are eligible for rewards.
Any other Fuzzbuzz-owned domains not listed below are not in-scope.
fuzzbuzz.io
beta.fuzzbuzz.io
app.fuzzbuzz.io
We welcome any reports of serious security concerns with regards to in-scope domains, however the following types of reports are not in scope:
- Reports from automated tools or scans
- Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
- Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
- Speculative reports about theoretical damage without concrete evidence or some substantive information indicating exploitability
- Forms missing CSRF tokens without evidence of the actual CSRF vulnerability
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Public GPG Key
Fuzzbuzz Security <[email protected]>
- ID: 0x16D6A2663C3F04F6
- Fingerprint: 7B60 130D 8F64 E301 84BF 59D0 16D6 A266 3C3F 04F6
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF+0ihUBEACi1PWSbIY8ButSlahfaTmjkW9VoPAdbmEaj2Wp6UQvkXR604qw uQUwIyBseRiDh+XGZW3yNJKAvaGyTMzZvaIkS3TU9DfpjaSn5sL0GvY978foVB2H 7+b2ghaB992x+9iQWF0ikPgGgMYzwToGXuhVsJdLUeav0BFsriYfRM4yLsVjmjjo 4P1fsDS0xgD5hMNMTM3H/l4S6UdTm0vBahmZK9Z69HwwOilfvEabwiS7cbi9XJhJ 00wQlAciA9sO8h6UnzXqe0+34Y9P2HqOV4DejE35P6AZUqqJPDjydWZvrHQt4Qx4 9SkHQjsoT3mUTz3Xm/nXQsElSl1V1NJ6Hfjwv50KfACmtirWBdUMRxr7ImM1j8RC ahM5NMwLz6czlgg1zZaVrF58Ewbz3k0xqEqi1zCL8z8VtV/+FTPlGsczdMNq8eJs ZMU0hsjj8AzuuJCGDTlvOkbUPYMN6/c40mkpzw4ZW9Pooe2DW/NTiEK/r1i/cIGC WFKbQv+QEAHl87Ws3AHM/0GNP3LEhNc2Ziu5bLBmW2xgcXXjzRtvUX/pj7E63NYZ oOREPc8GBScygtqHjhaL5jTGaadNZlX6yA2GM6kIOSZJVDk1U1TUJgnl5JZnhQ2S HulMXMPASUeXKYLYRz6MQqNevYralUgPk1ozupPhqJZ/sHxzD01gwGPDiQARAQAB tChGdXp6YnV6eiBTZWN1cml0eSA8c2VjdXJpdHlAZnV6emJ1enouaW8+iQJMBBMB CgA2FiEEe2ATDY9k4wGEv1nQFtaiZjw/BPYFAl+0ihUCGy8ECwkIBwQVCgkIBRYC AwEAAh4BAheAAAoJEBbWomY8PwT22IYQAKDKupSP5AuL5bCPRmh6xDy787tWOL8a Fj4ZLlkJRTxB9cXWK9WbIgJ0ialG+HzS7DnbIrQjSJTF8ZLtsGl7CfIuNXKqqhpo XtZfbtiQWjX8+p1g6oKFtdj/p5zkSK3OiaeGjosqCogn2YGxd4/QtPRjgOkM/APz FpW07cpnOWf6Jz/cd5AxXMUumABw5mmvy4Rb137Hx5qBJdhrufNK+/X7LinlzRjr W7Rnl6sGzftIbVxfBuO5XfwiRhljNZLCgenFnYLUcksXe2P4wOuZPX++T/UfAGe6 S1HNULO+WAZMdeb5Cn3lHrEhh8OBV2D+YNU90AeOYFJuXZyZgaLsH0QKP/HOZbpm lvRbzM8CIlwDNI+1wFjorxgRTgU1L/ghNHaeoY8ZfksoKrjeM9CU4bYtEkbCruug LJ5kBbKHJhisqIWKolhTC4oIxOue2eN/Xy2xNZRgC73oykWv2WQqpq2CRPuw7o0U kfOwAEJLvt9g0uzGt9F5/+4cs9FUEV3G7kWWChewRD6BDziOr53Pu8Zfkn7ThAF7 Xf0zwoNT8jRtTWwWHWSOY5XGDxKabYnQLoEmg+kkqLYeKlmBYH3ZreBfd31OGIiV j4EWoRYAFe7C+j4kVJSLGrf196tTYjhdePb2tP9WfdanwNNuh2BBHad5RF3iQzWT bOdvI8J9h0cV =Og8R -----END PGP PUBLIC KEY BLOCK-----