SpeakerMatch Bug Bounty Program

Found a security vulnerability? Here's how to report it!

We aim to keep our services safe for everyone, and data security is of utmost importance. If you are a security researcher and have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.

We will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to our services of those who discover and report security vulnerabilities responsibly. We reserve all of our legal rights in the event of any noncompliance.


Reporting

Share the details of any suspected vulnerabilities to the service at www.speakermatch.com with us by submitting a ticket through our system using the button above. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include as much information as possible.


Vulnerability Scores

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. 

We use this system for helping to ensure that both you and our team are in agreement about the severity ranking of your report.

You can use the Common Vulnerability Scoring Calculator (CVSS Version 3) to help determine the severity of your reported issue. If you'd like, you can use this link to generate a CVSS v3 Vector link which you can include in your report.

CVSS V3 Calculator


Compensation

We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program.

The bounty program only applies to vulnerabilities with our service at the domain www.speakermatch.com; we do not offer a bounty for services at any other domain or subdomain. The bounty reward amount varies based on the severity of the issue submitted.

Once a reported issue is verified by our team, you'll be eligible for a reward. Award amounts vary from $20 for Low-Risk issues up to $500 for more serious vulnerabilities. 

NOTE: We will only reward the first reporter of a vulnerability. No duplicate reports will be rewarded.


Scope

You may only test against a SpeakerMatch account for which you are the account owner or a merchant authorized by the account owner to conduct such testing.

We will reward you for the following types of vulnerabilities:

  • Remote Command Execution (RCE)
  • SQL Injection
  • Broken Authentication
  • Broken Session Management
  • Access Control Bypass
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Open URL Redirection
  • Directory Traversal

Reports of when an attacker can only threaten his own account will not be rewarded with a bounty. XSS caused by an Admin will not be rewarded with a bounty.


Responsible Disclosure

  • We ask that you report vulnerabilities to us before making them public.
  • Please wait until we notify you that your reported vulnerability has been resolved before disclosing it to others. We take security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
  • Do not engage in security research that has the potential to damage our systems or does actual damage to our systems. This includes any activity that has an impact to the availability of our systems, including the use of vulnerability scanning tools.
  • Never exploit a vulnerability you discover to view data or alter data without authorization.

Please Use Our Bug Report Form!

If you think you have found a security issue or bug, please report it to our Website Security department: