delight.im
We believe that working with experienced security researchers across the globe is fundamental to identifying weaknesses in our technology and essential for keeping our products and our users safe.
If you believe you've found a security issue in one of our products or services, we kindly ask you to notify us. We welcome working with you to resolve the issue promptly.
moviecontentfilter.com (including any subdomains)
briefe.io (including any subdomains)
delight.im (including wwwsubdomain)
im.delight.letters (Android)Remote-code execution (RCE)
SQL injection
Authentication bypass
Leakage of sensitive data
Privilege escalation
Improper access control
Cross-site scripting (XSS)
Server-side request forgery (SSRF)
etc.
Let us know about potential security issues as soon as possible upon discovery, and we'll make every effort to resolve the issue quickly and adequately.
Please provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or to any third parties.
Please strive to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts that you own or with accounts where you have the explicit permission of the account holder.
Include proofs of exploitability, e.g. steps to reproduce, screenshots, images, video or scripts.
Minimize the damage that occurs during your research. Use and operate on test accounts only and test "safe" commands such as hostname, uname, id, cat /proc/1/maps or touch /root/your_username.
Describe the environment that you found a weakness in, e.g. URL, application, browser (vendor and version number) and operating system (vendor and version number).
Reported bugs will be assessed by our security team to determine if they qualify for a reward. We will consider the impact to the company and our users and will calculate the reward accordingly.
You will be eligible for a bounty only if you are the first person to disclose an unknown issue to us.
The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
Do not interrupt our services, destroy any data, compromise other users' accounts or commit privacy violations.
While researching and also when it's time to report a potential vulnerability, we'd like to ask you to refrain from performing any of the following activities or attacks:
Denial of service (DoS or DDoS) attacks
Social engineering (e.g. phishing) of our staff or contractors
Physical attempts against our property or data centers
Vulnerabilities affecting outdated browsers or platforms
Spamming
Missing security-related HTTP headers which do not directly lead to vulnerabilities
SSL/TLS best practices
CSRF
Clickjacking
Results of automated tools or scanners
Brute-force attacks
Incomplete or missing SPF, DKIM or DNSSec
Weak password policy
Presence of “autocomplete” attributes in forms
Self-XSS
You are expected to comply with all applicable laws in connection with your participation in this program.
You are responsible for the payment of any taxes associated with rewards received.
We may modify the terms of this program or terminate the program at any time.
Thank you for helping keep delight.im and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | im.delight.letters |
| web_application | www.briefe.io |
| web_application | www.moviecontentfilter.com |
| web_application | briefe.io |
| web_application | moviecontentfilter.com |
| web_application | www.delight.im |
| web_application | delight.im |
| web_application | https://github.com/delight-im |
| Scope Type | Scope Name |
|---|---|
| android_application | im.delight.birthdays |
| web_application | sites.delight.im |
This program have been found on Hackerone on 2017-07-16.
FireBounty © 2015-2024