Banner object (1)

4190 policies in database
  Back Link to program      
26/03/2019
StackPath logo
Thanks
Gift
Hall of Fame
Reward

StackPath

Our platform of secure edge services is developed in pursuit of our ultimate mission: to make the internet safe. We greatly value the hard work and genius of the internet security research community, and welcome reports of any discovered StackPath platform vulnerability.

If you identify a vulnerability in our platform please notify us right away through the methods outlined in our Vulnerability Disclosure Program. We investigate all reported vulnerabilities and resolve identified issues as quickly as possible. We appreciate your efforts and cooperation avoiding privacy violations, damaging data, or otherwise interrupting or causing a negative impact on any of our services as you conduct your research.


Ratings:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Guidelines

  • Perform research only within scope.
  • If you find a vulnerability that exposes customer or employee personal information, Stop testing and report the issue immediately.
  • If you gain access to any non-public application or non-public credentials, Stop testing and report the issue immediately.
  • Do not purposefully attempt to degrade systems or services during testing.
  • Collect and submit all information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • Only target your own account and do not attempt to access data from anyone else’s account that you do not expressly own.
  • Follow the Bugcrowd “Coordinated Disclosure” rules

Focus Areas

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Origin Resource Sharing (CORS)
  • Server-side Request Forgery (SSRF)
  • XML External Entities (XXE)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution (RCE)
  • Clickjacking
  • Insecure Deserialization
  • Business Logic
  • Unauthorized API actions
  • Domain takeover
  • Web Application Firewall (WAF)
  • Application Denial of Service (L7 DoS)
  • Clever vulnerabilities that do not fall into the above categories

Excluded Submission Types

  • Vulnerability reports which do not include careful manual validation
  • Reports based only on results from automated tools and scanners
  • Theoretical attack vectors without proof of exploitability
  • Any customer hosted systems or services
  • Issues related to third-party vendor's
  • Social engineering / phishing
  • Attacks requiring physical access to a user's machine
  • Missing or incorrect SPF/DMARC/DKIM records

Third-party bugs

If there is no impact on StackPath servers or services, researchers will be encouraged to contact the third-party vendor directly.


This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
Any host owned by StackPath | Other
Any product/service offered by StackPath | Other
control.stackpath.com | Website
cp.maxcdn.com | Website
login.serverdensity.io | Website
striketracker.highwinds.com | Website
*.stackpath.com - Any host or services | Other
*.stackpath.net - Any host or services | Other
*.stackpath.dev - Any host or services | Other
*.highwinds.com - Any host or services | Other
*.maxcdn.com - Any host or services | Other
*.maxcdn.net - Any host or services | Other
*.serverdensity.com - Any host or services | Other
<your-instance>.serverdensity.io | Other

Out of scope

Target name | Type
---|---
<customer>.serverdensity.com | Other
*.stackpathdns.com | Other
*.hwcdn.net | Other

Testing is only authorized on the targets listed as In-Scope. Any domain/property of StackPath not listed in the targets section is out of scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Access:

All of the above targets are publicly accessible, researchers are encouraged to create trial accounts to test with, or utilize any existing accounts already legally owned. Please DO NOT perform any testing against accounts you do not expressly own.

API Documentation

Additional Information:

Researchers are encouraged to check our status page for any ongoing issues that may interfere with testing. https://status.stackpath.com

If you have any questions regarding the StackPath program, please reach out to support@bugcrowd.com.

Happy Hunting!

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
other

Any host owned by StackPath

other

Any product/service offered by StackPath

web_application

.serverdensity.io

web_application

control.stackpath.com

web_application

cp.maxcdn.com

web_application

login.serverdensity.io

web_application

striketracker.highwinds.com

web_application

*.stackpath.com - Any host or services

web_application

*.stackpath.net - Any host or services

web_application

*.highwinds.com - Any host or services

web_application

*.maxcdn.com - Any host or services

web_application

*.maxcdn.net - Any host or services

web_application

*.serverdensity.com - Any host or services

web_application

*.stackpath.dev - Any host or services

Out of Scope

Scope Type Scope Name
web_application

*.stackpathdns.com

web_application

*.hwcdn.net

web_application

.serverdensity.com


Firebounty have crawled on 2019-03-26 the program StackPath on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices