Vulnerability Disclosure Program

Vulnerabilities may be reported using the form provided or by emailing security@debtbook.com.

Identification Header

In order to separate researcher traffic from real user traffic, Debtbook requires that you include a unique string in the User-Agent of every HTTP request you make (whether directly or through any tooling you might use).

Include the string “(db_vdp)” in your user-agent as follows: - User-Agent: [..] (db_vdp)

DebtBook will do our best to meet the following SLAs for researchers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without DebtBook's express written permission.

The targets that are in scope are:

• app.debtbook.com
• sources.debtbook.com
• uat.debtbook.com

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Do not compromise or exfiltrate data, establish command-line access and/or persistence, or "pivot" to other systems.
• Once you've established that a vulnerability exists, or encounter any of the sensitive data outlined below, please stop your test and notify us immediately; and
• Use the identified communication channels to report vulnerability information to us.

• Personally identifiable information (Name, Title, Email)
• Financial information - While much of the data and information contained within DebtBook is available in the public domain or is subject to disclosure under applicable public records laws, some user data or information may constitute or contain confidential information not subject to disclosure.

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers [More than 2 stable versions behind the latest released stable version].
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.

If you make a good faith effort to comply with this policy during your security research, we will (1) consider your research to be authorized, (2) work with you to understand and resolve the issue quickly, and (3) not initiate or recommend legal action related to your research.

If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

When conducting vulnerability research according to the guidelines and scope of this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in any software Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of the channels in the "Reporting a vulnerability" section before going any further.

Thank you for helping keep DebtBook and our users safe!