Reporting Vulnerabilities to dev.to
Found a vulnerability in our systems? Fill out this form here. You'll hear back from us within two weeks at the absolute latest, and we'll let you know:
- If it's been reported previously,
- Whether or not we think it's a valid issue,
- And if it's eligible for a reward.
Security Guidelines and Etiquette
Please read and follow these guidelines prior to sending in any reports.
1. Do not test vulnerabilities in public. We ask that you do not attempt any vulnerabilities, rate-limiting tests, exploits, or any other security/bug-related findings if it will impact another community member. This means you should not leave comments on someone else’s post, send them messages via Connect, or otherwise, impact their experience on the platform.
Note that we are open source and have documentation available if you're interested in setting up a dev environment for the purposes of testing.
2. Do not report similar issues or variations of the same issue in different reports. Please report any similar issues in a single report. It's better for both parties to have this information in one place where we can evaluate it all together. Please note any and all areas where your vulnerability might be relevant. You will not be penalized or receive a lower reward for streamlining your report in one place vs. spreading it across different areas.
3. The following domains are not eligible for our bounty program as they are hosted by or built on external services:
- jobs.dev.to (Recruitee)
- status.dev.to (Atlassian)
- shop.dev.to (Shopify)
- docs.dev.to (Netlify)
- storybook.dev.to (Netlify)
We've listed the service provider of each of these domains so that you might contact them if you wish to report the vulnerability you found.
4. DoS (Denial of Service) vulnerabilities should not be tested for more than a span of 5 minutes. Be courteous and reasonable when testing any endpoints on dev.to as this may interfere with our monitoring. If we discover that you are testing DoS disruptively for prolonged periods of time, we may restrict your award, block your IP address, or remove your eligibility to participate in the program.
5. Please be patient with us after sending in your report. We’d appreciate it if you avoid messaging us to ask about the status of your report. Our team will get back to you as quickly as we are able. It is okay to inquire about the status of your report if you haven’t heard from us 2 weeks after sending it in. Otherwise, we ask that you please wait patiently for us to contact you, unless you have more information relevant to the vulnerability that you’d like to share.
Vulnerability Assessment and Reward
Vulnerabilities are assessed via BugCrowd's taxonomy rating and our judgment. We strive to be honest, fair, and reasonable based on the size of our current overall operating budget. We pay out the following rewards for the corresponding vulnerability levels:
- P5 ($0)
- P4 ($0)
- P3 ($50 USD)
- P2 ($100 USD)
- P1 ($250 USD or more)
Please note that if you report several similar issues or variations of the same issue in different reports, we may aggregate these together for a single reward. In these instances, we ask that you try to provide all examples in a single report rather than writing multiple reports (e.g. report all affected endpoints in one issue.)
Thank you!
Thanks to those who have helped us by finding, fixing, and disclosing security issues safely:
- Aman Mahendra
- Muhammad Muhaddis
- Sajibe Kanti
- Sahil Mehra
- Prial Islam
- Pritesh Mistry
- Jerbi Nessim
- Vis Patel
- Mohammad Abdullah
- Ismail Hossain
- Antony Garand
- Guilherme Scombatti
- Ahsan Khan
- Shintaro Kobori
- Footstep Security
- Chakradhar Chiru
- Mustafa Khan
- Benoit Côté-Jodoin
- Rahul PS
- Kaushik Roy
- Kishan Kumar
- Gids Goldberg
- Zee Shan
- Md. Nur A Alam Dipu
- Yeasir Arafat
- Shiv Bihari Pandey
- Nicolas Verdier
- Mathieu Paturel
- Arif Khan
- Sagar Yadav
- Sameer Phad
- Chirag Gupta
- Akash Sebastian
- Mustafa Diaa (c0braBaghdad1)
- Vikas Srivastava, India
- Md. Asif Hossain, Bangladesh
- Ali Kamalizade
- Omet Hasan
- Sergey Kislyakov
- Ajaysen R
- Govind Palakkal
- Kishore Krishna Pai
- Panchal Rohan
- Rahul Raju
- Thijs Alkemade
- Nanda Krishna
- Narender Saini
- Alan Jose
- Sumit Oneness
- Sagar Raja
- Faizan Nehal Siddiqui
- Michal Biesiada (mbiesiad)
- Aleena Avarachan
- Krypton (@kkrypt0nn)
- Jefferson Gonzales (@gonzxph)
- ALJI Mohamed (@sim4n6)