Responsible disclosure

To join the program you should read this whole page, and only proceed if you are OK with everything.

If you disclose your findings responsibly, we will not bring any lawsuit against you or launch any investigation into you. The most important rules of responsible disclosure are:

• Never ever try to access somebody else’s account or infographics, please always use your own account(s) for testing!

• Don’t test for DoS issues, launch social engineering attacks, or spam us or our users!

• If you find something, please provide us enough information to reconstruct the attack and give us enough time to respond to your report before you make it public!

What is the bounty?

Please be aware that although we will be very grateful for your submissions, at the moment we cannot give you cash rewards.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service

• Spamming

• Social engineering (including phishing) of Infogram staff or contractors

• Any physical attempts against Infogram property or data centers

Issues that we are aware of, but for the time being we don't plan to change/fix:

• Lack of email verification upon registration.

• Lack of password strength checking.

• Different types of accounts (e.g. google auth and password based) can share the same email address. For login purposes it is used only in one of them, therefore we don't consider this to be a flaw.

• SSL cipher recommendations.

• Missing Content-Security-Policy HTTP header.

• Rate limiting issues.

Other legal notices

• General warning: please try not to be destructive, use automated tools with care.

• Please don’t make your findings public until we explicitly allow you to do so. We will try to do our best to be really quick. But after the fix is out and making the details public doesn't compromise our users safety, we absolutely encourage you to write a blog post (or create an infographic!) about how you demonstrated that our system sucked!

• The program is not open for individuals on sanctions lists or individuals in countries on sanctions lists.

• You are responsible for any tax implications or additional restrictions depending on your country and local law.

• We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

• You must not violate any law. You also must not disrupt any service, or compromise anyone’s data.

Thank you for helping keep Infogram and our users safe!