Skip to main content
All CollectionsFor Our Tester CommunitySubmitting Bugs
BetaTesting Responsible Vulnerability Disclosure Program
BetaTesting Responsible Vulnerability Disclosure Program

Learn about participating in the Responsible Vulnerability Disclosure as an ethical hacker

Updated over a week ago

The BetaTesting Responsible Vulnerability Disclosure program is designed to increase the security the BetaTesting platform and technologies for the benefit of our users, our clients, and our company.

We believe that working with skilled responsible security researchers is important to assist in identifying vulnerabilities in any technology, and helping to make the web a safer place. We encourage responsible disclosure of security vulnerabilities via our Responsible Vulnerability Disclosure Program described on this page.

Reasons for participating:

  • Help make the web a safer place and protect personal information

  • We will add researchers that demonstrate quality bug submissions to our internal “security research panel”, and they will have opportunities to take part in paid bug tests and security tests we receive from any of our clients.

  • We will provide quality researchers with high ratings on BetaTesting, leading to more user research and bug testing invites on our platform.

  • Note: We do not provide any monetary rewards for vulnerability submissions, unless they are part of a paid bug hunt or security research test you are invited to.

How to submit vulnerabilities:

  • Create an account on BetaTesting as a tester, if you don't already have one.

  • Get in touch with us at with the subject "Vulnerability discovered". Send the email from the email address associated with your BetaTesting account.

  • We will directly invite you to a test on BetaTesting that is designed to allow you to submit an issue report for our "Responsible Vulnerability Disclosure" program.

What NOT to do, and what's out of scope:

  • Do not use any form of automation

  • Any activity that could lead to a disruption, slowness, or denial of service (DoS)

  • Any activity that may be considered spamming

  • Social engineering of BetaTesting, our users, testers, or clients

  • Any attempts at breaking physical security (properties, data centers, stealing, spying)

  • Rate limiting or brute force

  • Low severity issues with no real security impact

  • Vulnerabilities only affecting out-of-date or unsupported browsers/systems

  • Tabnabbing

  • Anything that violates privacy or destroys data. Once you have discovered that a vulnerability exists or you are presented with sensitive data (including personally identifiable information, financial information, or confidential information of any party), stop testing, get in touch with us, and do not disclose this data to anyone else.

  • Credential stuffing (i.e. using stolen or found credentials from other breaches to attempt to access BetaTesting).

  • Clickjacking

  • Interacting or posting data with accounts you don't own or without the explicit permission of the owner

  • Missing best practices in SSL/TLS configuration

  • Missing Security Headers

  • Missing HttpOnly or Secure flags on cookies

  • Missing best practices in Content Security Policy

Rules to follow:

  • Respect user's privacy, and be an ethical hacker

  • Please provide reports that include steps to reproduce with sufficient detail, and videos or screenshots where applicable

  • Please submit one vulnerability per-report, unless necessary to demonstrate impact

Disclosure policy:

  • Please let us know as soon as possible of the discovery of a potential security issue. We'll try to resolve the issue as quickly as we can given our understanding of the severity.

  • We require non-disclosure, which means we expect all reports are always kept private, unless BetaTesting decides to make them public. Please do not discuss any vulnerabilities discovered without consent from BetaTesting.

Did this answer your question?