Bug Bounty Program

Ghost Inspector prioritizes security. Keeping our service and user data secure is of paramount importance. With that being the case, we welcome the help of security researchers around the world. Help us improve our service by responsibly reporting vulnerabilities that are uncovered. The information below outlines how we process and reward vulnerabilities that are reported to us.

Table of Contents

  • Rewards
  • Scope
  • Reporting Possible Vulnerabilities
  • Eligibility and Responsible Disclosure
  • Qualifying Vulnerabilities
  • Non-Qualifying Vulnerabilities
  • The Fine Print
  • Thank You

Rewards

Ghost Inspector may provide rewards to eligible reporters of qualifying vulnerabilities. Ghost Inspector will determine in its discretion whether a reward should be granted and the amount of the reward. We may choose to pay higher rewards for unusually clever or severe vulnerabilities, and lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. We are appreciative of all responsible reports that are sent our way.

Scope

This program applies to all *.ghostinspector.com domains, including the promotional website, application, API and email service.

Reporting Possible Vulnerabilities

The procedure for contacting Ghost Inspector to report security issues is outlined in our security section. Issues must be reported using the appropriate email address and encryption procedure.

If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for reward.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Ghost Inspector! However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
  • We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
  • You may not publicly disclose the vulnerability prior to our resolution.

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Ghost Inspector users is likely to be in scope for the program. Common examples include:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Private Data
  • When in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The Google Bug Hunters University guide may be useful in considering whether something has impact.

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.

Please refrain from accessing private information (use test accounts), performing actions that may negatively affect Ghost Inspector users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Attacks requiring physical access to a user’s device
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Logout CSRF
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records
  • Content spoofing / text injection
  • Vulnerabilities related to a less-than-current software packages being used (For example, an older version of jQuery). We monitor these packages and schedule upgrades, but breaking changes can cause delays.
  • Issues related to software or protocols not under Ghost Inspector control
  • Reports of spam
  • Bypass of URL malware detection
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Social engineering of Ghost Inspector staff or contractors
  • Any physical attempts against Ghost Inspector property or data centers
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

The Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. This program was initially implemented on May 26th 2017. Bounties will not be retroactively paid for qualifying issues that may have reported prior to this date.

Thank You

A big thank you to the following folks for responsibly reporting security concerns to us.

  • Nitin Goplani
  • Osama Ansari
  • Vismit Rakhecha
  • Vineet Kumar
  • Muzammil Abbas Kayani
  • April Rose B. Alvarado
* If you’ve reached out to us in the past and would like to be listed here, please contact us.
Portions of this program, including specific text and descriptions, are based on Twitter’s bug bounty program.