EncryptBD is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to fix the issue.
1. Any vulnerability found must be reported no later than 24 hours after discovery.
2. You are not allowed to disclose details about the vulnerability anywhere else.
3. You must avoid tests that could cause degradation or interruption of our service.
4. You must not leak, manipulate, or destroy any user data.
5. You are only allowed to test against accounts you own yourself.
6. The use of automated tools or scripted testing is not allowed.
EXCLUSIONS While researching, we'd like to ask you to refrain from:
1. Denial of service.
3. Social engineering (including phishing) of EncryptBD staff or contractors.
4. Any physical attempts against EncryptBD property or data centers.
5. Don't report any third-party software vulnerability, which doesn't belong to EncryptBD.
6. Do not send report which doesn't have a real attack scenario.
7. Content Spoofing without significant risk.
8. Attacks which need user interaction.
COMPLETELY EXCLUDED FROM PROGRAM
Please do not report the following types of bugs, we are already aware of some of them and are not interested to fix them. They will be fixed in future.
1. Information disclosure
2. Software version disclosure 3. XSS attacks via POST or headers
4. Missing SPF or DMARC records
5. HttpOnly and Secure cookie flags
6. SSL/TLS related (such as HSTS)
7. Password and account recovery policies
8. Session timeout
9. Session Hijacking (cookie reuse)
10. Missing X-Frame or X-Content headers
11. Account enumeration
We like to recognize other's work for us. If you report a valid security issue, you'll get listed to our Hall of Fame Page
Following assets are in scope: *.encryptbd.com
email us at: info [at] encryptbd.com