Program Overview
Silversight welcomes good-faith security research on the systems and services we own and operate. If you identify a vulnerability, report it privately, and give us enough detail to reproduce it. We'll review the report, coordinate remediation, and make sure you get credit.
There is currently no paid bounty program.
You can expect to hear back in about 2 days. Triage will take around 3 days.
Shared Responsibility Model
Silversight
Review good-faith reports and acknowledge receipt.
Work with researchers to understand and validate credible findings.
Keep reported vulnerabilities non-public while remediation is underway.
Coordinate remediation before broader disclosure.
Security Researcher
Report issues privately with enough detail to reproduce the issue.
Stay within scope and avoid destructive, disruptive, or privacy-invasive testing.
Follow the exclusions and proof-of-concept guidance listed on this page.
Do not publicly disclose the issue until Silversight has had a reasonable opportunity to investigate and remediate it.
Disclosure Process
Scope
This policy applies to Silversight sites, applications, APIs, and supporting services that we own and directly operate. If an issue exists in a third-party dependency or platform we use but do not control, report it to the appropriate vendor unless the vulnerability is caused by our implementation.
If you are unsure whether a target is in scope, ask first at security@silversight.ai.
Exclusions
Findings from physical testing such as office access (e.g. open doors, tailgating).
Findings derived primarily from social engineering (e.g. phishing, vishing).
Findings from applications or systems not listed in the "Scope" section. I do accept high-severity issues on out of scope assets if they directly affect me.
Vulnerability reports with video only PoCs.
Reports that state that software is out of date or vulnerable without a proof of concept.
Highly speculative reports about theoretical damage. Be concrete.
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
Issues in third-party services should be reported to the respective team.
Exclusions
| Description | Reason |
|---|---|
| Network-level Denial of Service (DoS/DDoS) vulnerabilities. | I do not want you to disrupt any of my services and to be honest with you if I want to take down a service I will always find a way. |
| Low severity issues that can be detected with tools such as Hardenize and Security Headers. | I run regular scans with these services and try to improve my score gradually. |
| Content injection issues. | The severity of this issue is so low that it does not warrant a report. |
| Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.). | In order for CSRF to be a valid issue it must affect some important action such as deleting one's account. |
| Missing cookie flags. | These type of issues do not present a major risk and are usually picked up by scanners. |
| UI and UX bugs (including spelling mistakes). | No comment. |
| 401 injection. | This is usually an accepted risk. |
| Stack traces that disclose information. | Most of my projects are open-source therefore this information is usually public knowledge. That said, if you discover a stack trace that discloses information which is not located in my GitHub repositories, please do submit a report. |
| Host header issues without an accompanying proof-of-concept demonstrating vulnerability. | PoC or GTFO. |
| Open ports without an accompanying proof-of-concept demonstrating vulnerability. | Same as above. |
| Banner grabbing issues (figuring out what web server I use, etc.). | I will happily share what web servers I am running. |
| Missing X-Frame-Options header (Clickjacking) | The lack of X-Frame-Options does not always indicate that a security vulnerability is present. This is an optional header that is only necessary on endpoints where the UI is rendered to invoke state changing actions. |
| Cross-site tracing | In order for Cross-Site Tracing (XST) to really be a significant issue you would need to find an endpoint vulnerable to Cross-site Scripting (XSS). |
| CSP uses unsafe-inline | The fact that a CSP includes unsafe-inline is not an issue in itself. In order for you to demonstrate the actual impact of this value, I highly recommend you look for an XSS vulnerability. Try to trigger alert(document.domain). |
| Disclosure of robots.txt file | I am aware that in some cases robots.txt files have been known to disclose sensitive information. In my case I have determined that my robots.txt files do not contain any information that poses a potential security risk. |
| Email spoofing (SPF misconfigurations) | I have accepted the risk that this issue poses and do not believe that it warrants an immediate fix. |
| Open redirect using Host header | Open redirects in the Host header are not exploitable. |
| Proving me wrong on Twitter. |
Proof of concepts
| Issue type | When to report the issue |
|---|---|
| XSS | For XSS, a simple alert(document.domain) should suffice. Bonus points for alert('🐸'). |
| RCE | Please only execute harmless code. Simply printing something or evaluating an expression should be enough to demonstrate the issue. |
| SQLi | Report it as soon as you have a SQL error that indicates SQL injection or you are able to disclose the SQL server's version number. |
| Unvalidated redirect | Set the redirect endpoint to http://example.com. |
| Information disclosure | If your report contains sensitive data, please use my PGP key to encrypt it. |
| CSRF | Either attach a file to demonstrate the issue or paste the code in a code block in your report. |
| SSRF | Do not go playing around on any internal networks. Leave the fun bit to me. If you feel the necessity to retrieve an internal file, please only request the internal security.txt file. |
| LFI | The same applies here -- please do not go against the guideline listed in the Disclosure policy section. There should be a security.txt file located in the root directory. Being able to retrieve that file should be enough to demonstrate the issue. |