ThreatDown Responsible Disclosure Program Guidelines
Responsible vs non-responsible disclosure
From our experience (a) disclosure of proof of concept exploit code, (b) unnecessary details to get the point across or (c) releasing vulnerability details prior to availability of a fix represents non-responsible disclosure which does more harm than good as it brings unnecessary attention to a security issue. Even if an issue is fixed through full and non-responsible disclosure, a determined and skilled attacker will always be able to find and exploit yet another vulnerability, so non-responsible or full disclosure will not make a positive difference on any given product and will generally result in putting real people at risk. Therefore, the ThreatDown CVD program will only award bug bounties to reporters who follow responsible disclosure guidelines
What do we mean by Bug Bounty?
ThreatDown offers cash bug bounties for the most interesting bugs. The amount awarded for interesting bugs is between $100 and $2000 depending on the bug severity and exploitability. However, ThreatDown reserves the right to increase this amount on a per case basis. Additionally, the most innovative submissions, as decided by our research team, are entered into the ThreatDown Hall of Fame and get a package of cool ThreatDown swag.
What confidentiality obligations do I take on by providing a submission?
If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless ThreatDown makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.
What types of vulnerabilities does the CVD program accept?
The scope of the program is for remote code execution vulnerabilities in our products and disclosure of private user information in the www.ThreatDown.com domain. Sub-domains which redirect to third-party platforms that are NOT owned by ThreatDown are out of scope of the Bug Bounty. ThreatDown does not and cannot grant permission to perform penetration tests on platforms which are not owned by ThreatDown. This includes sub-domains like, support.threatdown.com, and store.threatdown.com, etc. Please check the DNS entry to verify ownership of the platform prior to performing any penetration tests.
It is required the reporter include proof of exploitability with the vulnerability report in the form of a proof-of-concept. While non-exploitable bugs which result in crashes and stability issues are welcomed, they may not be subject to the Bug Bounty. Eligibility of Bug Bounty for non-exploitable bugs will be considered by the ThreatDown team on a case by case basis.
ThreatDown is also interested in vulnerabilities in its web services (websites, portals, etc.) which may result in compromise, disclosure of confidential or personal information or which may otherwise put our users at risk.
Last edited September 18, 2024