SECURITY

EcpPro is committed to working with security experts around the world to stay up to date with the latest security techniques.

If you have discovered a security issue that you believe we should know about, we'd love to hear from you!

• EcpPro will not take legal action against users for disclosing vulnerabilities as instructed here.
• Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
• Based on the validity, severity, and scope of each issue, we'll reward you with awesome shtuff (or just cold, hard cash if you prefer).

• Testing should be limited to sites and services that EcpPro directly operates. We will not accept reports for third-party services or providers.
• Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
• Don't use scanners or automated tools to find vulnerabilities.
• No information about issues found should be publicly disclosed or shared until we've completed our investigation and resolution.

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are generally considered out of scope (not an exhaustive list):

• Account/E-mail enumeration
• Attacks requiring MITM or physical access to a user's device
• Brute force attacks
• Clickjacking
• Content spoofing and text injection
• CSRF vulnerabilities
• Denial of Service attacks where the outcome is resource exhaustion
• Email SPF, DKIM, and DMARC records
• Missing HttpOnly/Secure cookie flags
• Open CORS headers
• Publicly accessible login panels
• Reports from scanners and automated tools
• Self-exploitation (like token reuse and console scripting)
• Social engineering or phishing attacks targeting users or staff
• NSFW gating
• Rate limiting