Guilded

Security Guilded Support <ul> <li>1 month ago</li> <li>Updated</li> </ul> Policy <p>Guilded appreciates the security community to find vulnerabilities to keep our customers and our business safe.</p> Response <p>Guilded will make a best effort to respond to and triage problems brought to our attention. Our goal is to respond to reports within four days and then triage within an additional four days.</p> <p>We'll do our best to keep you informed throughout the process.</p> Disclosure <p>The goal of this program is to help keep our users and their data safe so when disclosing a vulnerability please follow the rules set out here.&nbsp. Additionally, make sure to respect our users’ privacy and ensure your actions do not harm our users.</p> <p>On our end, we will make an effort to prioritize security and not take punitive action towards researchers that abide by our guidelines to make sure that we encourage reports.</p> Guidelines <ul> <li>Please provide detailed, reproducible steps to construct the vulnerability.</li> <li>When we receive multiple reports for the same issue, we will not necessarily be able to respond to all reports but will respond to the first report received.&nbsp;</li> <li>If a single underlying problem causes multiple vulnerabilities, we will consider that a single vulnerability.</li> <li>Any social engineering (e.g. phishing) is prohibited.</li> <li>During your investigations make a reasonable effort to avoid:</li> <ul> <li>privacy violations</li> <li>destruction of data</li> <li>interruption or degradation of our service</li> </ul> <li>Only interact with accounts you own or with the explicit permission of the owner.</li> </ul> Recognition and Reward <p>We will recognize those that help us here and, in some cases, provide a modest reward depending on the scope and severity of the discovered vulnerability.&nbsp. A report must be the first report we receive for a specific issue to be eligible.</p> Out of scope vulnerabilities <strong>When reporting vulnerabilities, please consider both the attack scenario and the security impact of the bug. The following issues are not in scope:</strong> <ul> <li>Exposing Session Tokens in URLs without proof of exploitability.</li> <li>Clickjacking on pages with no sensitive actions</li> <li>Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions</li> <li>Attacks requiring MITM or physical access to a user's device.</li> <li>Previously known vulnerable libraries without a working Proof of Concept.</li> <li>Comma Separated Values (CSV) injection without demonstrating a vulnerability.</li> <li>Missing best practices in SSL/TLS configuration.</li> <li>Any activity that could lead to the disruption of our service (DoS).</li> <li>Content spoofing and text injection issues without showing a code execution attack vector</li> <li>Rate limiting or brute force issues on non-authentication endpoints</li> <li>Missing best practices in Content Security Policy.</li> <li>Missing HttpOnly or Secure flags on cookies</li> <li>Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)</li> <li>Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]</li> <li>Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application, or server errors).</li> <li>Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.</li> <li>Tabnabbing</li> <li>Open redirect - unless an additional security impact can be demonstrated</li> <li>Issues that require unlikely user interaction</li> </ul> Safe Harbor <p>Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.</p> <p>Reports can be submitted to security@guilded.gg</p> <p>Thank you for helping keep our users safe!</p> Thank You <p>We would like to thank the following for helping to improve the safety and security of our community:</p> <ul> <li>Cameron Dawe and Spam404</li> <li>Yoshinori Hayashi</li> <li>wa1m3im</li> <li>atom0s</li> <li>Agung Saputra Ch Lages</li> <li>Bryce</li> <li>Mahmoud Osama from Secare.io&nbsp;</li> <li>Nitin Gavhane&nbsp;</li> <li>Swapnil Patil</li> <li>NULLYUKI</li> <li>Sheikh Rishad</li> <li>Bryce</li> </ul> <p>&nbsp;</p> <ul> </ul> Was this article helpful? <small> 31 out of 43 found this helpful </small> Have more questions? Submit a request Return to top Related articles <ul> <li> Privacy </li> <li> Attribution </li> <li> Community guidelines </li> <li> Terms of Use </li> <li> Contact </li> </ul>