Big Monocle Bug Bounty Program
Big Monocle recognizes the importance of security researchers in helping keep
our community safe. We encourage responsible disclosure of security
vulnerabilities via our bug bounty program described on this page.
Scope of this program
The scope of this program is limited to technical vulnerabilities on Big
Monocle owned or designed sites. The domains and properties below are in the
scope of the program:
- Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Make a good faith effort to not leak or destroy any Big Monocle site or user data.
- In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
If you've discovered a vulnerability in one of our sites or apps, please don't
share it publicly. Send any problems to us via HackerOne. We'll get back to
you as soon as we can with a confirmation and some love.
Only original, previously unreported bugs will be qualified for credit. Bugs
are limited to currently supported browser versions and must be reproducible.
Please include the exact input data and the operation used. Please do not run
automated scans with applications such as BurpSuite. We can do that too. If we
see submissions from anyone we've found to scan the system, this will be
considered a DDoS attack and will be marked invalid.
Only submit one issue per ticket. We provide attribution on our Hall of Fame
as a thank you.
All reports must include all of the following:
Proof of Concept
- Details on the implications of the vulnerability
- Details on how this could be used in a real-world attack
- Detailed steps on how to reproduce the vulnerability
- Recommendations on a resolution for the issue
- Failure to include all of this information will result in an invalid submission.
Examples of bugs that have potential to compromise user data:
- Cross-Site Scripting (XSS) *See exceptions below
- Cross-Site Request Forgery (CSRF/XSRF) *See exceptions below
- Broken Authentication (including Facebook OAuth bugs)
- Circumvention of our Platform/Privacy permission models
- Remote Code Execution
- Privilege escalation from any non-admin role
- XML External Entity (XXE) Processing
The following are out of scope and do not qualify for the program:
- Social engineering
- Physical attacks
- Banner/version disclosure
- Username enumeration
- Previously reported bugs
- Impractical user actions (user needs to input an XSS payload into a field)
- Issues that cannot be reproduced
- DDOS attacks
- CRIME/BEAST attacks
- Brute force password cracking
- Bugs specific to unsupported browsers/plugins
- Signup/Login/Logout cross-site request forgery
- URL redirection
- Attacks mitigated by HSTS (HTTP Strict Transport Security)
- Partner sites and 3rd party sites
All research must not violate any law, or disrupt or compromise any data
that is not your own.