Security Stance

Security and transparency are top priorities at Chaturbate. Networks are dynamic. The technology, users, data in the systems, risks, and security requirements are ever-changing. Chaturbate knows that security is never perfect and can never be taken for granted. People will discover new ways to intentionally or unintentionally bypass or subvert security.

Time can expose new vulnerabilities, and the most effective way to counteract these vulnerabilities is to become aware of them quickly and to fix them immediately with rewards for you.

Reporting Guidelines

Submitting clear, detailed reports is highly encouraged. Each report should explain one vulnerability in detail, identify its impact, and most importantly include steps or a "proof of concept" instructions to reproduce the issue.

Very low-quality reports, such as those which only contain automated output, will be rejected.

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of service.

• Only interact with accounts you own or with explicit permission of the account holder.

• Include attachments such as screenshots or proof of concept code as necessary.

• Disclose the vulnerability report directly and exclusively to us.

Rewards

Please see our reward table above.

To qualify for a reward under this program, you should be the first to report the vulnerability.

Scope

At this time, the scope of this program is limited to security vulnerabilities found on Chaturbate and its supporting services. Vulnerabilities reported for other properties may be considered on a case-by-case basis.

Exclusions

While researching, refrain from:

• Interfering with other users of the site

• Spamming

• Social engineering (including phishing) of staff or contractors

• Any physical attempts against property or data centers

• Scripting or other automation and brute forcing of intended functionality

Denial of Service and Brute Force

Targeted brute force attacks are permitted to discover incorrect or missing rate limits; however the request rate must be under 100 requests per minute for an endpoint. E.g. checking the rate limit on a password input.

Additionally the requests must only be made against your own accounts.

A missing rate limit does not always signify a security issue, only endpoints performing sensitive actions may be considered.

Indiscriminate brute forcing or Denial of Service above the specified rate are not permitted.

The following reports do not qualify

• Reports regarding using the same email for multiple accounts, this is by design

• Reports regarding username enumeration

• Reports about the external_url page

• Reports about password requirement for changing email, this is commonly misreported

• Reports against other sites, such as "stream ripping" or "stream capping" sites

• Reports that involve manipulating the room user count

• Reports regarding ability to frame/embed the register and room viewing pages

• Bugs requiring exceedingly unlikely user interaction

• HttpOnly and Secure cookie flags

• Reports of software version disclosure

• Reporting vulnerabilities that are deemed as accepted risks

• Bugs that don’t affect the latest version of modern browsers, or browser extensions.

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Chaturbate and our users safe!