Report A Vulnerability
If you have discovered a security vulnerability, please report it to us by using our security vulnerability reporting form which you can find below. We believe in responsible disclosure and kindly ask to you to allow us a period of time to investigate and patch the vulnerability before you publish details. Verifying and testing of the patch can take from several hours to several days where we perform extensive testing to guarantee the stability and operation of our service.
We actively work together with security researchers and we also participate in the bug bounty program of Bugcrowd. We will always respond to security reports: the security of our users and their data are of greatest importance to us.
Please read the following Responsible Security Disclosure program description before you begin with your security testing:
Responsible Security Disclosure Program
To be considered, submitting vulnerabilities must adhere to the following rules:
- We need to be able to verify the reported vulnerability, and the report itself needs to be provided with as much information as possible such as what browser and platform used. It is greatly appreciated if you include a video;
- Distributed Denial-of-Service (DDoS) attacks and capacity testing are not allowed;
- Automated scanners are not allowed due to the high amount of false positives generated;
- Your testing should not negatively impact another user's Ribose experience. For example, do not send messages to other Ribose users containing cross-site scripting (XSS) without their consent;
- You must be the first researcher to report the issue, the earliest sent report is considered the first report;
- The vulnerability needs to be an actual bug. Suggestions and ideas for improvements in our security are important to us, these however do not qualify as a security vulnerability.
Examples of potential valid issues:
- Authentication flaws;
- Cross-site scripting (XSS);
- Cross-site request forgery (CSRF/XSRF);
- Mixed-content scripts;
- Server-side code execution;
- SQL injection;
- Directory traversal;
- Descriptive error messages (e.g. stack traces, application or server errors).
Examples of invalid issues:
- Output which is copy pasted from automated scanners without an accompanying proof of concept;
- Information leaks such as IP addresses;
- Login page brute force or account lockout not enforced;
- Findings derived from SSL settings (e.g. BREACH attack, insecure SSL ciphers enabled);
- Clickjacking and issues only exploitable through clickjacking;
- CSRF on forms that are available to anonymous users (e.g. the contact form);
- Logout Cross-Site Request Forgery (logout CSRF).
Our security team has the final say in whether a report qualifies as a security vulnerability or a suggestion.
Vulnerabilities can be reported for any Ribose subdomain: *.ribose.com. However, security vulnerabilities in third-party websites or services operating a ribose.com subdomain are explicitly excluded from the Ribose responsible disclosure program.
Finally, if your report is accepted as a security vulnerability, you will be rewarded with a swag kit and you shall be included on our Security Hall of Fame page.