Trustpilot
Trustpilot looks forward to working with the security community to find security vulnerabilities in order to keep our business, customers and reviewers safe. Trustpilot will make a reasonable effort to respond to incoming reports within five (5) business days. Bounty classification will be confirmed after validating a legitimate security issue and identifying a feasible fix. We will do our best to keep you informed about our progress throughout the process.
Useful resources that you can use while exploring our assets: https://developers.trustpilot.com and https://support.trustpilot.com . Also, keep in mind that our Product teams are super agile, releasing new code 200 times per week, meaning that our services, features and integrations are always subject to change!
Please give us time to patch. 0-day and other CVE vulnerabilities with less than 7 days from patch release are ineligible for bounty and will be treated as informational findings only.
Social engineering (such as phishing, vishing, smishing) is strictly prohibited.
Follow HackerOne's disclosure guidelines
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the finding will not be eligible for a reward.
Submit one vulnerability per report, unless you can chain the vulnerabilities and clearly demonstrate the chain.
In the event of duplicate findings on the same vector, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by the same attack vector will be awarded one bounty.
Amounts below mentioned under “Rewards” is the range we will pay per category. We aim to be fair and all final reward amounts are at Trustpilot’s sole discretion.
We award bounties at time of fix, and aim to keep you posted as we work to resolve them.
Provide reasonable amount of time for us to assess and/or resolve the reported finding.
Disclosure to the public or a third-party requires prior written approval from Trustpilot.
You are prohibited from taking any actions that will violate the privacy of our customers, users, or employees, destroy data, or interrupt or degrade our service. Only interact with accounts you own or with explicit permission of the account holder.
Spamming other users with automated Trustpilot emails or notifications is strictly prohibited. (e.g. abusing the forgot password form on accounts not your own).
Reports received prior to our bug bounty program launch are not eligible for resubmission, as we have already responded to these via direct communication.
Please delete test data (where possible) once you are done testing.
Please check the listed assets, below.
Bugs in third party services should be reported directly to the them respectively, unless the bug relates to our implementation of the service.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope, thus please refrain from:
Cookie security issues for non-session cookies
Missing HTTP security headers
Denial of service (DoS & DDoS attacks are strictly not permitted)
Rate limiting issues
Spamming
Social engineering (including phishing) of Trustpilot staff or contractors
Any physical attempts against Trustpilot property or datacenters
Mass/bulk user profile creation.
Interacting with other accounts without the consent of their owners. Test only with your own user profiles when researching bugs.
Logout CSRF
Automated tool reports
Presence of autocomplete on web forms
Attacks only exploitable on older browsers
Open redirects - unless they can be used for actively stealing tokens
Reports stating software is out of date or vulnerable without a proof of concept
Disclosure of known public files or directories. (Eg. S3)
Lack of Secure and HTTPOnly cookie flags.
Requesting account upgrades for deeper product testing.
Claiming email provider using matching domain.
Privilege escalation by means of user roles product feature.
SQL/database injection attacks and XSS attacks on the following assets:
*.business.trustpilot.com
*.legal.trustpilot.com
*.investors.trustpilot.com
*.ipo.trustpilot.com
*.trustpilot.com/blog
*.trustpilot.com/trust
We use Contentful and HubSpot, and do not actually use any database technology. So in essence all hackers would be doing is testing SQL injection on third party services, which could lead to us being blacklisted by these services.
We also do not accept any user uploaded content, and only display Trustboxes as user generated content from other sources, so XSS is not a realistic avenue of attack on the mentioned domains, and if so, any XSS concerns would be caught under the scope of Trustboxes.
Thank you for your time and for helping to keep Trustpilot and our users safe!
| Scope Type | Scope Name |
|---|---|
| web_application | *authenticate.trustpilot.com |
| web_application | *api.trustpilot.com |
| web_application | *b2b.trustpilot.com |
| web_application | *www.trustpilot.com |
| web_application | *share.trustpilot.com |
| web_application | *emailsignature.trustpilot.com |
| web_application | *signup.business.trustpilot.com |
| web_application | *widget.trustpilot.com |
| web_application | *locale.trustpilot.com |
| web_application | *invitations-api.trustpilot.com |
| web_application | *consumer-auth.trustpilot.com |
| web_application | *business.trustpilot.com |
| web_application | *jobs.trustpilot.com |
| web_application | *blog.trustpilot.com |
| web_application | *legal.trustpilot.com |
| web_application | *ipo.trustpilot.com |
| Scope Type | Scope Name |
|---|---|
| web_application | trustpilotinfo.com |
| web_application | *support.trustpilot.com |
| web_application | *press.trustpilot.com |
| web_application | *apps.trustpilot.com |
| web_application | *apidoc.trustpilot.com |
This program crawled on the 2019-04-25 is sorted as bounty.
FireBounty © 2015-2024
