SpeakerMatch Bug Bounty Program

Found a security vulnerability? Here's how to report it!

We aim to keep our services safe for everyone, and data security is of utmost importance. If you are a security researcher and have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.

We will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to our services of those who discover and report security vulnerabilities responsibly. We reserve all of our legal rights in the event of any noncompliance.


Reporting

Share the details of any suspected vulnerabilities to the service at www.speakermatch.com with us by submitting a ticket through our system using the button above. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include as much information as possible.


Compensation

$50
BOUNTY!

We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program. The bounty reward is $50 per each Unacceptable Risk* issue submitted to, verified by, and acted upon by our development team.

Bounty rewards are issued only via PayPal.

The bounty program only applies to vulnerabilities with our service at the domain www.speakermatch.com; we do not offer a bounty for services at any other domain or subdomain.

We do not offer a bounty for submissions deemed to be an Acceptable Risk*. Our team may occasionally offer a special "thank you" award to researchers, at our discretion, for providing exceptional value. 

NOTE: We will only reward the first reporter of a vulnerability. No duplicate reports will be rewarded. 

 

* An Unacceptable Risk is an item which requires action from our security team. Our team has the final say as to whether a reported vulnerability poses an Unacceptable Risk or an Acceptable Risk. We generally do not take any action on a reported vulnerability deemed to be an Acceptable Risk.


Scope

The bounty program only applies to vulnerabilities with our service at the domain www.speakermatch.com; we do not offer a bounty for services at any other domain or subdomain. You may only test against a SpeakerMatch account for which you are the account owner or a merchant authorized by the account owner to conduct such testing.

We will reward you for the following types of vulnerabilities:

  • Remote Command Execution (RCE)
  • SQL Injection
  • Broken Authentication
  • Broken Session Management
  • Access Control Bypass
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Open URL Redirection
  • Directory Traversal

In order to qualify for a bounty, the vulnerability must exist in the latest public release (including officially released public betas) of the software. Only security vulnerabilities will qualify. We would love it if people reported other bugs via the appropriate channels, but since the purpose of this program is to fix security vulnerabilities, only bugs that lead to security vulnerabilities will be eligible for rewards. Other bugs will be accepted at our discretion.

We'll only consider issues which can be replicated in the most current release versions of these browsers:

  • Google Chrome
  • Mozilla Firefox
  • Apple Safari

 

Excluded Items

Please don't submit issues related to Cookies and Session Management. We consider these issues to be an Acceptable Risk. While possession of these elements could allow a malicious actor to access a user's account, the malicious actor does not have public access to this information. The only way a cookie or session information can be stolen is through a targeted attack on a user or a user not logging out of a public machine. We don't consider this to be a system vulnerability.

Don't submit issues that can only be replicated on outdated browsers. We all know older and out-of-date browsers are not as safe as newer ones. We'll only consider issues which can be replicated in the most current public release versions of Google Chrome, Mozilla Firefox, or Apple Safari.

Reports of when an attacker can only threaten his own account such as Self XSS will not be rewarded with a bounty. XSS caused by an Admin will not be rewarded with a bounty.


Guidelines

Please adhere to the following guidelines in order to be eligible for rewards under this disclosure program:

  • Do not permanently modify or delete SpeakerMatch hosted data.
  • Do not intentionally access non-public SpeakerMatch data any more than is necessary to demonstrate the vulnerability.
  • Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external services.
  • Do not share confidential information obtained from SpeakerMatch, including but not limited to member payment information, with any third party.
  • Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including our staff, members, vendors, or partners.

In addition, please allow us at least 90 days to fix the vulnerability before publicly discussing or blogging about it. Our team believes that security researchers have right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.


Responsible Disclosure

  • We ask that you report vulnerabilities to us before making them public.
  • Please wait until we notify you that your reported vulnerability has been resolved before disclosing it to others. We take security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
  • Do not engage in security research that has the potential to damage our systems or does actual damage to our systems. This includes any activity that has an impact to the availability of our systems, including the use of vulnerability scanning tools.
  • Never exploit a vulnerability you discover to view data or alter data without authorization.

Please Use Our Bug Report Form!

If you think you have found a security issue or bug, 
please report it to our Website Security department by using the button below:

 

Once you submit a request, you'll get an automated response with a ticket number. You may log into the support portal at any time to check ticket updates. There's no need to send multiple requests asking if we received your ticket or what's up. We'll get to every ticket as soon as we can.