The BetaTesting Responsible Vulnerability Disclosure program is designed to increase the security the BetaTesting platform and technologies for the benefit of our users, our clients, and our company.
We believe that working with skilled responsible security researchers is important to assist in identifying vulnerabilities in any technology, and helping to make the web a safer place. We encourage responsible disclosure of security vulnerabilities via our Responsible Vulnerability Disclosure Program described on this page.
Reasons for participating:
Help make the web a safer place and protect personal information
We will add researchers that demonstrate quality bug submissions to our internal “security research panel”, and they will have opportunities to take part in paid bug tests and security tests we receive from any of our clients.
We will provide quality researchers with high ratings on BetaTesting, leading to more user research and bug testing invites on our platform.
Note: We do not provide any monetary rewards for vulnerability submissions, unless they are part of a paid bug hunt or security research test you are invited to.
How to submit vulnerabilities:
Create an account on BetaTesting as a tester, if you don't already have one.
Get in touch with us at team@betatesting.com with the subject "Vulnerability discovered". Send the email from the email address associated with your BetaTesting account.
We will directly invite you to a test on BetaTesting that is designed to allow you to submit an issue report for our "Responsible Vulnerability Disclosure" program.
What NOT to do, and what's out of scope:
Do not use any form of automation
Any activity that could lead to a disruption, slowness, or denial of service (DoS)
Any activity that may be considered spamming
Social engineering of BetaTesting, our users, testers, or clients
Any attempts at breaking physical security (properties, data centers, stealing, spying)
Rate limiting or brute force
Low severity issues with no real security impact
Vulnerabilities only affecting out-of-date or unsupported browsers/systems
Tabnabbing
Anything that violates privacy or destroys data. Once you have discovered that a vulnerability exists or you are presented with sensitive data (including personally identifiable information, financial information, or confidential information of any party), stop testing, get in touch with us, and do not disclose this data to anyone else.
Credential stuffing (i.e. using stolen or found credentials from other breaches to attempt to access BetaTesting).
Clickjacking
Interacting or posting data with accounts you don't own or without the explicit permission of the owner
Missing best practices in SSL/TLS configuration
Missing Security Headers
Missing HttpOnly or Secure flags on cookies
Missing best practices in Content Security Policy
Rules to follow:
Respect user's privacy, and be an ethical hacker
Please provide reports that include steps to reproduce with sufficient detail, and videos or screenshots where applicable
Please submit one vulnerability per-report, unless necessary to demonstrate impact
Disclosure policy:
Please let us know as soon as possible of the discovery of a potential security issue. We'll try to resolve the issue as quickly as we can given our understanding of the severity.
We require non-disclosure, which means we expect all reports are always kept private, unless BetaTesting decides to make them public. Please do not discuss any vulnerabilities discovered without consent from BetaTesting.