Responsible Disclosure Policy
Security is our priority @ Donorbox and we are committed to ensuring the security and privacy of our users. This policy is intended to give clear guidelines on how to responsibly report the security vulnerabilities to Donorbox.
This responsible disclosure policy states that what domains and types of vulnerabilities or findings and research are covered under this policy, how to send us vulnerability findings, and what to expect from our side.
We encourage you to contact us to report potential vulnerabilities in Donorbox.
If you make a good faith effort to comply with this policy after discovering a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.
If you discover a vulnerability regarding the Donorbox and you want to share it with us, we ask you, in the spirit of responsible disclosure, to send us an email demonstrating vulnerability by following this policy.
Donorbox reserves all legal rights and can initiate a complaint to law enforcement in the event of noncompliance with the policy.
Donorbox will update and revise this policy as we move forward into the future and Donorbox reserves all rights to change or cancel this policy at any time.
How to submit a vulnerability
- To disclose a potential security vulnerability, Please email it to our security team:
- [email protected]box.org (Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands)
- When reporting a security vulnerability, please do so responsibly and provide:
- a summary of the vulnerability
- a proof of concept
- tools, commands, or scripts used.
What to expect
- We will handle your email with strict confidentiality
- We will add your name to our “Hall of fame” and provide you a certificate of appreciation if desired by you.
In scope asset
Out of scope targets
- Any other domain or sub-domain other than donorbox.org
Typical Vulnerabilities Accepted
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Authentication related issues
- Authorization related issues
- Redirection Attacks
- Remote Code Execution
- Data Exposure
- Contact us immediately after you have discovered the security vulnerability.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Provide us a reasonable amount of time to resolve the issue and never disclose it publicly.
- Once you’ve verified that a vulnerability exists or found any sensitive data you should stop your activity and not move forward and not disclose the finding to any third party.
- When investigating vulnerabilities, please act in good faith and respect the data privacy of other users as well as the service availability of Donorbox. Many people use Donorbox daily, and it’s harmful -- and illegal -- to disrupt their usage of Donorbox.
- Never request compensation or bounty for finding security vulnerabilities and reporting them to us.
- Use your accounts in the process of finding the bug.
- If in doubt, contact us.
- Do not erase/manipulate data or compromise Donorbox services or get involved with the 3rd parties to share our confidential data.
- Do not get involved in any kind of social engineering, spam, and physical testing.
- Do not get involved in phishing
- Do not conduct intrusive research, such as DoS attacks, or take any other action that may jeopardize the security, credibility, or availability of data and systems.
- Do not publicly disclose it or share your vulnerability finding with anyone else.
- No testing of Third-party Services
- Do not upload anything related to vulnerability to third parties. i.e. Youtube etc.
- Never use a vulnerability to compromise or ex-filtrate files, to gain permanent or persistent command-line access, or to pivot to other applications, systems, or programs.
- Do not access, destroy, or negatively impact Donorbox or its customers’ data in any way
- Do not break any laws or agreements already made.
- Never automated scanner or tools to look for vulnerabilities in Donorbox.
- Don't take advantage of the weakness you've discovered.
- Data destruction or manipulation is never allowed by us.
- Never involve in any sort of privacy breaches and violations
- Never involve in the degradation and disruption of our user’s experience and our services.
Out of Scope Reports
- Theoretical vulnerabilities
- Informational disclosure of non-sensitive data
- WordPress Username Enumeration
- CSV Injection
- PHP Info
- Information related to server status etc.
- Client-side application/browser autocomplete or saved password/credentials
- Error pages etc.
- Enumeration of directories, files, or assets, etc.
- Findings related to password strength etc.
- Login/Logout/Unauthenticated/Low-impact CSRF
- Missing Cookie flags
- Valid bugs or best practice issues that are not directly related to the security posture of the Donorbox
- Self-XSS like findings that could not be used to attack other users or organizations.
- Anything which involves social engineering.
- DDOS or DoS.
- SSL issues (i.e. misconfiguration or version)
- Misconfigured SPF, DKIM, or DMARC records,
- Any other service or libraries not directly hosted or controlled by Donorbox (i.e. 3 rd party stuff).
- Donorbox reserves the right to make final decisions
- Once you submit a bug to us or find a vulnerability, you agree to be bound by all the rules mentioned above.
Hall of fame
- Donorbox would like to express our gratitude to the following individuals or companies for responsibly disclosing the security flaws to us: