[go: up one dir, main page]
Medal

Security

Disclosure

We'd be grateful if you disclose bugs found to us in a coordinated manner to [email protected], and encourage you to look for them. Note however that we are not running a public bug bounty program, and thus do not have a budget for monetary rewards. If you are hoping to make money you should check out our open positions. We can also award you with a rare badge on your profile, if you like collectables.

What does not qualify?

Note that not every missing security measure is a vulnerability, for example static sites that don't set X-Frame-Options are probably not vulnerable to clickjacking, since there's no sensitive action that can be performed on the site. Please verify that your vulnerability actually enables performing an action an attacker shouldn't be able to do, like making a data-modifying request on behalf of another user or get access to data they shouldn't have access to. Missing hardening measures that don't play a part in a larger vulnerability might get credited, but this depends on our evaluation of severity.

  • Reports that don't include steps to reproduce the bug, or only include the steps in video form.
  • Bugs that don't affect the latest version of modern browsers (Chrome, Firefox, Safari, Edge), or bugs related to browser extensions.
  • Bugs disclosing public or non-sensitive information on a user, like showing that an email is signed up or that an app uses our service.
  • Bugs that have already been reported by someone else, or that we are already aware of.
  • Bugs in services not hosted by us, unless caused by a misconfiguration on our side.
  • Behavior we've determined to be an acceptable risk, usually for improved usability.

Rules

While we encourage you to look for bugs, please adhere to the following rules to ensure the service experience is not disrupted for other users.

  • Do not attempt to gain access to someone else's account or data.
  • Do not perform attacks that might impact service availability, like DDoS or spam attacks.
  • Do not publicly disclose a bug before it has been fixed.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we'll probably ban your IP address.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, ask.

As long as you adhere to the rules, we promise a human will respond within 1-3 business days and keep you updated as we work to fix the bug you found. We will not take legal action against you as long as you play by the rules.

Scope

We appreciate reports on vulnerabilties in all services we host under *.medal.tv, and our supporting services like MedalBot. The following domains are excluded:

  • status.medal.tv: Hosted by a third party, UptimeRobot. Reach out to them directly for any issues discovered.
Quantcast
Comscore