At Pics.io, we are committed to keeping our systems, network and product secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take action to shore up our security. Please contact us in case you want to start searching for vulnerabilities on Pics.io.
You are allowed to search for vulnerabilities, as long as you don’t:
- Execute or attempt to execute a Denial of Service (DoS)
- Install malware of any kind
- Social engineer or phish our employees or customers
- Scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way
- Physically attack or damage our property, offices or data centers or attempt to do so
- Run tests on third-party applications, websites or services that integrate with Pics.io
- Scan or attack our infrastructure or attempt to do so
Breaching the above restrictions may result in launching an investigation and/or taking legal actions to. If you do discover a vulnerability, please contact us by sending an email to email@example.com.
What we ask of you:
- Submit your vulnerability report as soon as possible after discovery
- Do not abuse or exploit discovered vulnerabilities in any way for any purpose
- Do not share discovered vulnerabilities with any entities or persons other than Pics.io and its employees until after Pics.io has confirmed the vulnerability has been resolved.
- Provide us with adequate detailed information to enable us to investigate the vulnerability properly. To be able to investigate properly, we will need to be able to efficiently reproduce your steps.
- Provide us with the information required to contact you (at least telephone number or email address)
What we do:
- We will respond to your report with our evaluation of the report and an expected resolution date
- If you have followed the above instructions, we will not take any legal action against you regarding the report
Rewards and attribution:
- Please do not ask for a reward before reporting the vulnerability, as we need to evaluate your report before responding
- If you report a vulnerability that is unknown to us, and if you are not from a country where we are prohibited by law from making payments (e.g. due to sanctions), we may decide to offer you a reward based upon our assessment of the criticality of the vulnerability
Assets in scope:
Out of scope assets:
Out of scope vulnerabilities:
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Issues that require unlikely user interaction
- Issues that based on/include phishing or social engineering aspect
- Clickjacking/UI Redressing
- Reflected file download
- Verbose error pages (without proof of exploitability)
- SSL/TLS Best Practices
- Incomplete/Missing SPF/DKIM
- Fingerprinting/banner disclosure on common/public services
- Not stripped EXIF/IPTC/XMP/etc. files metadata
- Disclosure of known public files or directories, (e.g. robots.txt)
- Content spoofing (text injection)
- XSFR/CSRF issues
- Attacks that affect the attacker itself or its teammates (Self XSS/Stored XSS, abusing team data, etc.)
- Rate limit configurations on any endpoints
- OPTIONS HTTP method enabled
- Recently disclosed 0-day vulnerabilities
- Presence of autocomplete attribute on web forms
- Use of a known-vulnerable library (without proof of exploitability)
- Missing HTTP security headers, cookie flags or CSP best practices
Any report submitted will be handled with great care with regard to the privacy of the reporter. We will not share your personal information with third parties without your permission unless we are legally required to do so.
If you have any security questions or if you believe you have found a security vulnerability please don’t hesitate to contact our security team.