If you believe you’ve discovered a security or privacy vulnerability that affects the Brilliant Directories platform or services, please report it directly to us. We review all eligible submissions for Security Bounty rewards.
$25 – $5,000 reward per bounty
Submit your research report by emailing bounty@brilliantdirectories.com. Reports should include a thorough technical description of the behavior you observed, the steps required to reproduce the issue, and a proof-of-concept or exploit. A short video demonstrating the issue is welcome.
Our team reviews and investigates every submission. You can interact directly with us, and ask or respond to questions about your findings.
If your report results in a system or software update, you’ll see information about when and how we’ll acknowledge your work. We’ll also let you know if you are eligible to receive a reward through the Brilliant Directories Security Bounty program.
A high-quality research report is critical to help us confirm and address an issue quicker, and could help you receive a Brilliant Directories Security Bounty reward.
A complete report includes:
We strongly recommend including a working exploit, rather than a basic proof of concept. We accept reports without this information, but reports with more details typically receive higher bounty rewards. If your report doesn’t include the necessary information to allow us to reproduce the issue, we may not be able to accept your report or evaluate it for a bounty.
Issues that require execution of multiple exploits — as well as “one-click” and “zero-click” issues — require a full chain for maximum payout. Such issues should be submitted as a single report that includes:
If you provide an exploit chain, please add it to a password-protected archive as an attachment.
Brilliant Directories Security Bounty eligibility rules are designed to make sure we can verify your research and protect customers until an update is available.
For an issue to be eligible for a Brilliant Directories Security Bounty, the issue you report must occur on the latest publicly available version of the Brilliant Directories platform with a standard configuration.
In addition, you must meet the following requirements:
Some issues may be eligible for an additional bonus. For example, issues that are unique to newly added features or code may qualify for a bonus, if they’re reported within 90 days of the feature release.
We are interested in security and privacy vulnerability reports pertaining to the Brilliant Directories platform software product offered through the brilliantdirectories.com website, rather than that website itself. If you are interested, you can sign up for a trial of the software here.
Please note that the Brilliant Directories platform grants website administrators broad access to their websites’ code through the “Widgets” system, as well as broad access to the content of their websites via direct database access. While this level of access allows website administrators numerous ways to inadvertently harm their own websites, we are not focused on identifying such self-inflicted vulnerabilities for security bounties.
However, we do offer Brilliant Directories Security Bounties for discoveries including but not limited to:
Some security research may occur on production services that Brilliant Directories customers use and depend on. Do your best to avoid research that violates customer privacy, destroys data, or interrupts service.
If you discover customer data while researching, or are unclear if it is safe to proceed, please stop immediately and contact us at bounty@brilliantdirectories.com so we can take immediate action to resolve the issue and protect our customers.
If you believe you have discovered a security or privacy vulnerability in Brilliant Directories’ software or services, please report it to us.
Email your research report to bounty@brilliantdirectories.com. Anyone can submit a report, including developers, users, and security researchers. If a report you submit is valid and eligible, you may be publicly recognized in our release notes, and if your report meets additional criteria, you may also receive a reward through the Brilliant Directories Security Bounty program.
We make it a priority to resolve security and privacy issues as quickly as possible. Please note that for the protection of our customers, Brilliant Directories does not disclose or confirm security issues until our investigation is complete and any necessary updates are generally available.
Please note that you will not be able to track the progress of your report online. Our team will maintain communication with you throughout our review process.
Brilliant Directories developers review all reports that are submitted directly to us.
If we need additional information, we’ll notify you via email. If you have questions, or want to provide more information to help us reproduce or investigate an issue, you can reply to your initial report email at any time.
After a valid report is addressed, it will be reviewed for a Brilliant Directories Security Bounty reward payment. If your report qualifies for a reward, you’ll be notified by the Brilliant Directories team about your reward, including bounty status, amount, and any next steps.
We review each report to determine whether the issue reported is a valid security or privacy issue, and if so, whether it qualifies for a reward. All security issues with significant impact to users will be considered for the Brilliant Directories Security Bounty.
Brilliant Directories Security Bounty reward payments are based on:
Maximum bounty amounts require high-quality reports and are meant to reflect significant scope and effort. Vulnerabilities that have a greater impact on users tend to receive larger bounty reward payments — for example, issues that affect most or all of the Brilliant Directories platform or services, or circumvent advanced security protections.
Other factors may include the number of users affected; the user interaction that’s required or whether the user is notified; the level of access or execution achieved; and the persistence of the issue. For example, a “zero-click” exploit — where an attacker would be able to gain access to a user’s data without any interaction from the user — would be eligible for a significantly larger bounty than an issue that requires physical access to a user’s device.
To increase your potential reward, make sure your report is detailed and thorough. Reports with only a basic proof of concept tend to receive about half the typical reward, and those without a working proof of concept typically receive even less. If your report doesn’t indicate how to reproduce the issue, it may not qualify for a bounty. A report for a bounty-eligible issue with a clear scenario that clearly demonstrates the issue is more likely to receive a top reward than a report for the same issue without supporting details.
Email bounty@brilliantdirectories.com for answers to any other questions.
Try Any Theme |
Features |
Company |
Support |
|
|
||
But Someone Got Here Before You
Stay Tuned for Our Treasure Hunt Next Month
