Does SlimWiki have a Vulnerability Reward Program?

Last updated 4 months ago

While we don't have an established Vulnerability Reward Program, we do encourage you to report any security issue responsibly to support+security@slimwiki.com

Scope


The vulnerability you are reporting must be directly related to one of the following domains: 

  • beta.slimwiki.com
  • api.beta.slimwiki.com

Permissible security research


We only allow security research, that -

  • Makes a good faith effort to avoid affecting third party services or their availability;
  • Makes a good faith effort not to affect or disclose other users' accounts, personal data, or content, and not to affect service availability to other users;
  • Only uses user account(s) that belong to you personally (you are allowed to create several accounts specifically for the purpose of conducting security research for this vulnerability reward program);
  • Only targets user account(s), user data or personal data that belong to you personally, or are bogus test data;
  • Only uses or targets clients that have been installed on hardware you yourself own and operate;
  • Only uses methods that are in compliance with your local and European laws;
  • Does not use malicious or destructive payloads beyond what is technically required for a benign proof-of-concept demonstration;
  • Only targets services or products listed above, with the appropriate exclusions.
If you have any questions about whether a certain type of research is permissible, or whether a given target is in scope, contact us at support+security@slimwiki.com before conducting the research.

Qualifying Vulnerabilities


To qualify for the program, any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope. Common examples include:

  • Cross-site scripting;
  • Cross-site request forgery;
  • Mixed-content scripts;
  • Authentication or authorization flaws (not including brute force attacks or a compromised computer/browser);
  • Server-side code execution bugs;
  • SQL injections.
Note: Vulnerabilities that require prior access to the targeted user account, browser, or computer are out of scope and won't be considered for a reward.

Reporting Guidelines


Before testing for and exploiting any vulnerabilities, it is mandatory to:

A. Obtain consent from us to try to exploit the vulnerability;
B. Use your own test account for the purpose of testing and validation;
C. Provide a working Proof of Concept (PoC) demonstrating the vulnerability.
Only when these conditions are met, will we consider your submission for a reward. Please ensure that you follow these guidelines to ensure responsible disclosure and to maintain the security of user data.

Reward


The size of the reward is solely determined by the SlimWiki team and is based on the estimated risk posed by the vulnerability. The current reward range is from USD 50 to USD 150.

If you report several issues that are duplicated in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one, and only one reward may be paid.

We reserve the right to change these conditions at any time. Changes to the conditions will be reflected in this document, but we will not provide notifications for any updates. It is your responsibility to stay informed of any changes to these guidelines.