We believe that working with experienced security researchers across the globe
is fundamental to identifying weaknesses in our technology and essential for
keeping our products and our users safe.
If you believe you've found a security issue in one of our products or
services, we kindly ask you to notify us. We welcome working with you to
resolve the issue promptly.
Domains, applications and properties in scope
Inclusions – Findings that are in scope
- Remote-code execution (RCE)
- SQL injection
- Authentication bypass
- Leakage of sensitive data
- Privilege escalation
- Improper access control
- Cross-site scripting (XSS)
- Server-side request forgery (SSRF)
- Let us know about potential security issues as soon as possible upon discovery, and we'll make every effort to resolve the issue quickly and adequately.
- Please provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or to any third parties.
- Please strive to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts that you own or with accounts where you have the explicit permission of the account holder.
- Include proofs of exploitability, e.g. steps to reproduce, screenshots, images, video or scripts.
- Minimize the damage that occurs during your research. Use and operate on test accounts only and test "safe" commands such as
cat /proc/1/maps or
- Describe the environment that you found a weakness in, e.g. URL, application, browser (vendor and version number) and operating system (vendor and version number).
- Reported bugs will be assessed by our security team to determine if they qualify for a reward. We will consider the impact to the company and our users and will calculate the reward accordingly.
- You will be eligible for a bounty only if you are the first person to disclose an unknown issue to us.
- The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
- Do not interrupt our services, destroy any data, compromise other users' accounts or commit privacy violations.
Exclusions – Findings that are out of scope
While researching and also when it's time to report a potential vulnerability,
we'd like to ask you to refrain from performing any of the following
activities or attacks:
- Denial of service (DoS or DDoS) attacks
- Social engineering (e.g. phishing) of our staff or contractors
- Physical attempts against our property or data centers
- Vulnerabilities affecting outdated browsers or platforms
- Missing security-related HTTP headers which do not directly lead to vulnerabilities
- SSL/TLS best practices
- Results of automated tools or scanners
- Brute-force attacks
- Incomplete or missing SPF, DKIM or DNSSec
- Weak password policy
- Presence of “autocomplete” attributes in forms
- You are expected to comply with all applicable laws in connection with your participation in this program.
- You are responsible for the payment of any taxes associated with rewards received.
- We may modify the terms of this program or terminate the program at any time.
Thank you for helping keep delight.im and our users safe!
Hall of Fame