As a security-focused company ourselves, we take security issues very seriously at Fuzzbuzz. If you believe you've found a security vulnerability in Fuzzbuzz we would like to work with you to investigate the issue. We ask that you do not initially disclose your findings publicly, and allow for a reasonable timeframe for us to address your report.
After you have ensured that the vulnerability is in-scope, please send us an email at [email protected]. If you believe your report contains sensitive information, consider encrypting valid parts of the email with our GPG Key.
Reporting a Vulnerability
- Include clear written instructions for reproducing the vulnerability in your email to [email protected]
- When reporting vulnerabilities you must keep all information within the email thread. Do not post information to video-sharing or pastebin sites. Images can be sent directly via email.
- For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
- Do not publicly disclose your submission until Fuzzbuzz has evaluated the impact.
Fuzzbuzz runs a number of services but only submissions under the following domains are eligible for rewards. Any other Fuzzbuzz-owned domains not listed below are not in-scope.
We welcome any reports of serious security concerns with regards to in-scope domains, however the following types of reports are not in scope:
- Reports from automated tools or scans
- Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
- Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
- Speculative reports about theoretical damage without concrete evidence or some substantive information indicating exploitability
- Forms missing CSRF tokens without evidence of the actual CSRF vulnerability
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Public GPG Key
- Fuzzbuzz Security "[email protected]"
- ID: 0x16D6A2663C3F04F6
- Fingerprint: 7B60 130D 8F64 E301 84BF 59D0 16D6 A266 3C3F 04F6