Countdown to Black Friday Deals Brilliant Directories Black Friday Desktop Banner Brilliant Directories Black Friday Mobile Banner
Questions Before Starting? +1-800-771-9332 Start Live Chat Affiliates Blog Login

Submit Your Research

If you believe you’ve discovered a security or privacy vulnerability that affects the Brilliant Directories platform or services, please report it directly to us. We review all eligible submissions for Security Bounty rewards.

$25 – $5,000 reward per bounty

Send Your Security Report

Submit your research report by emailing bounty@brilliantdirectories.com. Reports should include a thorough technical description of the behavior you observed, the steps required to reproduce the issue, and a proof-of-concept or exploit. A short video demonstrating the issue is welcome.

Communicate With Us

Our team reviews and investigates every submission. You can interact directly with us, and ask or respond to questions about your findings.

Collect Your Reward

If your report results in a system or software update, you’ll see information about when and how we’ll acknowledge your work. We’ll also let you know if you are eligible to receive a reward through the Brilliant Directories Security Bounty program.

Security Report Guidelines

A high-quality research report is critical to help us confirm and address an issue quicker, and could help you receive a Brilliant Directories Security Bounty reward.

A complete report includes:

  • A detailed description of the issue(s) and the behavior you observed, as well as the behavior that you expected
  • A numbered list of steps required to reproduce the issue
  • A reliable exploit for the issue you are reporting
  • Details of any related issues or variants
  • A short video demonstrating the issue is welcome.

We strongly recommend including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesn’t include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty.

Issues that require execution of multiple exploits — as well as “one-click” and “zero-click” issues — require a full chain for maximum payout. Such issues should be submitted as a single report that includes:

  • Both compiled and source versions
  • Everything needed to execute the chain
  • A sample nondestructive payload, if needed

If you provide an exploit chain, please add it to a password-protected archive as an attachment.

Eligibility

Brilliant Directories Security Bounty eligibility rules are designed to make sure we can verify your research and protect customers until an update is available.

For an issue to be eligible for a Brilliant Directories Security Bounty, the issue you report must occur on the latest publicly available version of the Brilliant Directories platform with a standard configuration.

In addition, you must meet the following requirements:

  • You must be the first party to report the issue directly to Brilliant Directories by emailing bounty@brilliantdirectories.com.
  • Your report must be clear and detailed and must include a reliable way to reproduce the issue, such as a working exploit.
  • You must not disclose the issue publicly before Brilliant Directories releases a fix for the reported bug.

Some issues may be eligible for an additional bonus. For example, issues that are unique to newly added features or code may qualify for a bonus, if they’re reported within 90 days of the feature release.

Scope of Eligible Vulnerabilities

We are interested in security and privacy vulnerability reports pertaining to the Brilliant Directories platform software product offered through the brilliantdirectories.com website, rather than that website itself. If you are interested, you can sign up for a trial of the software here.

Out of Scope

  • Anything related to the www.brilliantdirectories.com website.
  • We allow Admins access to the code of their website through the “Widgets” system, and direct access to the databases of their websites. Any exploits on the frontend of the website that can be accomplished via this access would be out of scope.
  • DNS records / email record best practices (SPF/DKIM/DMARC records, etc)
  • Missing best practices in Content Security Policy
  • Missing best practices in SSL/TLS configuration
  • Tabnabbing
  • Issues that require unlikely user interaction
  • Attacks requiring Man-In-The-Middle or physical access to a user’s device
  • Clickjacking on pages with no sensitive actions
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • SQL Injections within the Admin area or frontend of a website to the local databases that Admins already have access to (directory, billing, and backup)
  • XSS in the Admin area or frontend of a website
  • CSRF in the Admin area
  • Admin permission escalations
  • Exif information in images
  • Vulnerabilities present in applications/modules provided by a 3rd party

If anything changes regarding these categories, we will update them here on this page.

Within the Scope

There are many others, but here are examples of in-scope vulnerabilities that we are looking for:

  • XSS vulnerabilities caused by submitting content through the frontend of the website which affects the Admin area or other visitors to the frontend of the website
  • IDOR vulnerabilities on the frontend of a website
  • SQL injections that affect other websites or databases that are NOT local to the website
  • Admin permission escalations that impact other websites

Avoid Harm

Some security research may occur on production services that Brilliant Directories customers use and depend on. Do your best to avoid research that violates customer privacy, destroys data, or interrupts service.

If you discover customer data while researching, or are unclear if it is safe to proceed, please stop immediately and contact us at bounty@brilliantdirectories.com so we can take immediate action to resolve the issue and protect our customers.

Frequently Asked Questions

How do I submit a security research report?

If you believe you have discovered a security or privacy vulnerability in Brilliant Directories’ software or services, please report it to us.

Email your research report to bounty@brilliantdirectories.com. Anyone can submit a report, including developers, users, and security researchers. If a report you submit is valid and eligible, you may be publicly recognized in our release notes, and if your report meets additional criteria, you may also receive a reward through the Brilliant Directories Security Bounty program.

We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, Brilliant Directories does not disclose or confirm security issues until our investigation is complete and any necessary updates are generally available.

Please note that you will not be able to track the progress of your report online. Our team will maintain communication with you throughout our review process.

What happens after I submit a report?

Brilliant Directories developers review all reports that are submitted directly to us.

If we need additional information, we’ll notify you via email. If you have questions, or want to provide more information to help us reproduce or investigate an issue, you can reply to your initial report email at any time.

After a valid report is addressed, it will be reviewed for a Brilliant Directories Security Bounty reward payment. If your report qualifies for a reward, you’ll be notified by the Brilliant Directories team about your reward, including bounty status, amount, and any next steps.

How are Brilliant Directories Security Bounty rewards determined?

We review each report to determine whether the issue reported is a valid security or privacy issue, and if so, whether it qualifies for a reward. All security issues with significant impact to users will be considered for the Brilliant Directories Security Bounty.

Brilliant Directories Security Bounty reward payments are based on:

  • The type of vulnerability, which can include the user interaction required, number of affected users, level of access, and other factors.
  • The quality of your research report, which helps our team understand, reproduce, and address the issue more quickly.

Maximum bounty amounts require high-quality reports and are meant to reflect significant scope and effort. Vulnerabilities that have a greater impact on users tend to receive larger bounty reward payments — for example, issues that affect most or all of the Brilliant Directories platform or services, or circumvent advanced security protections.

Other factors may include the number of users affected; the user interaction that’s required or whether the user is notified; the level of access or execution achieved; and the persistence of the issue. For example, a “zero-click” exploit — where an attacker would be able to gain access to a user’s data without any interaction from the user — would be eligible for a significantly larger bounty than an issue that requires physical access to a user’s device.

To increase your potential reward, make sure your report is detailed and thorough. Reports with only a basic proof of concept tend to receive about half the typical reward, and those without a working proof of concept typically receive even less. If your report doesn’t indicate how to reproduce the issue, it may not qualify for a bounty. A report for a bounty-eligible issue with a clear scenario that clearly demonstrates the issue is more likely to receive a top reward than a report for the same issue without supporting details.

Have other questions?

Email bounty@brilliantdirectories.com for answers to any other questions.

Submit a Report

brilliant-directories-reviews6

Brilliant Directories has helped grow our company

We love BD. After using other website platforms for our business, BD has helped to grow our company in ways we couldn't have imagined. If you are serious about starting an online directory we highly recommend that you use BD. They have more settings and built-in tools than we initially thought - which helps tremendously. It's so easy that once you start your first project, you want to launch even more website ideas on the platform... You won't be sorry!

Clayton B. — Louisiana, USA Read More Reviews

Questions Before Getting Started?

We're always happy to chat about your goals and explain what comes with your Brilliant Directories website. Contact us or call to speak with a friendly team member now: +1-800-771-9332

Send a Message

START YOUR IDEA TODAY
Launch a Free Demo Website Below

  • Learn how to setup membership plans, connect your payment gateway and generate revenue
  • Tour the features that will help you manage your community and maximize productivity
  • Experience how members will view, edit and self-manage their personal accounts
  • Customize your demo site to match your brand
Safe & Secure. Try it free for as long as you like.