Responsible Disclosure Policy
Security is our priority @ Donorbox and we are committed to ensuring the security and privacy of our users. This policy is intended to give clear guidelines on how to responsibly report the security vulnerabilities to Donorbox.
This responsible disclosure policy states that what domains and types of vulnerabilities or findings and research are covered under this policy, how to send us vulnerability findings, and what to expect from our side.
We encourage you to contact us to report potential vulnerabilities in Donorbox.
If you make a good faith effort to comply with this policy after discovering a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.
If you discover a vulnerability regarding the Donorbox and you want to share it with us, we ask you, in the spirit of responsible disclosure, to send us an email demonstrating vulnerability by following this policy.
Donorbox reserves all legal rights and can initiate a complaint to law enforcement in the event of noncompliance with the policy.
Donorbox will update and revise this policy as we move forward into the future and Donorbox reserves all rights to change or cancel this policy at any time.
How to submit a vulnerability
- To disclose a potential security vulnerability, Please email it to our security team:
- When reporting a security vulnerability, please do so responsibly and provide:
- a summary of the vulnerability
- a proof of concept
- tools, commands, or scripts used.
What to expect
- We will handle your email with strict confidentiality
In scope asset
Out of scope targets
- Any other domain or sub-domain other than donorbox.org
Typical Vulnerabilities Accepted
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Authentication related issues
- Authorization related issues
- Redirection Attacks
- Remote Code Execution
- Data Exposure
- Contact us immediately after you have discovered the security vulnerability.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Provide us a reasonable amount of time to resolve the issue and never disclose it publicly.
- Never request compensation or bounty for finding security vulnerabilities and reporting them to us.
- Use your accounts in the process of finding the bug.
- If in doubt, contact us.
- Do not get involved in any kind of social engineering, spam, and physical testing.
- Do not get involved in phishing
- Do not publicly disclose it or share your vulnerability finding with anyone else.
- No testing of Third-party Services
- Do not upload anything related to vulnerability to third parties. i.e. Youtube etc.
- Do not access, destroy, or negatively impact Donorbox or its customers’ data in any way
- Do not break any laws or agreements already made.
- Never automated scanner or tools to look for vulnerabilities in Donorbox.
- Don't take advantage of the weakness you've discovered.
- Data destruction or manipulation is never allowed by us.
- Never involve in any sort of privacy breaches and violations
- Never involve in the degradation and disruption of our user’s experience and our services.
Out of Scope Reports
- Theoretical vulnerabilities
- Informational disclosure of non-sensitive data
- WordPress Username Enumeration
- CSV Injection
- PHP Info
- Information related to server status etc.
- Client-side application/browser autocomplete or saved password/credentials
- Error pages etc.
- Enumeration of directories, files, or assets, etc.
- Findings related to password strength etc.
- Login/Logout/Unauthenticated/Low-impact CSRF
- Missing Cookie flags
- Self-XSS like findings that could not be used to attack other users or organizations.
- Anything which involves social engineering.
- DDOS or DoS.
- SSL issues (i.e. misconfiguration or version)
- Misconfigured SPF, DKIM, or DMARC records,
- Donorbox reserves the right to make final decisions
Hall of fame