Security at EcpPro
EcpPro is committed to working with security experts around the world to stay up to date with the latest security techniques.
If you have discovered a security issue that you believe we should know about, we'd love to hear from you!
- EcpPro will not take legal action against users for disclosing vulnerabilities as instructed here.
- Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
- Based on the validity, severity, and scope of each issue, we'll reward you with awesome shtuff (or just cold, hard cash if you prefer).
Program Rules:
- Testing should be limited to sites and services that EcpPro directly operates. We will not accept reports for third-party services or providers.
- Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
- Don't use scanners or automated tools to find vulnerabilities.
- No information about issues found should be publicly disclosed or shared until we've completed our investigation and resolution.
Out of Scope Vulnerabilities:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
The following issues are generally considered out of scope (not an exhaustive list):
- Account/E-mail enumeration
- Attacks requiring MITM or physical access to a user's device
- Brute force attacks
- Clickjacking
- Content spoofing and text injection
- CSRF vulnerabilities
- Denial of Service attacks where the outcome is resource exhaustion
- Email SPF, DKIM, and DMARC records
- Missing HttpOnly/Secure cookie flags
- Open CORS headers
- Publicly accessible login panels
- Reports from scanners and automated tools
- Self-exploitation (like token reuse and console scripting)
- Social engineering or phishing attacks targeting users or staff
- NSFW gating
- Rate limiting