Security Guilded Support <ul>
<li>1 month ago</li>
<p>Guilded appreciates the security community to find vulnerabilities to keep our customers and our business safe.</p>
<p>Guilded will make a best effort to respond to and triage problems brought to our attention.
Our goal is to respond to reports within four days and then triage within an additional four days.</p>
<p>We'll do our best to keep you informed throughout the process.</p>
<p>The goal of this program is to help keep our users and their data safe so when disclosing a vulnerability please follow the rules set out here. .
Additionally, make sure to respect our users’ privacy and ensure your actions do not harm our users.</p>
<p>On our end, we will make an effort to prioritize security and not take punitive action towards researchers that abide by our guidelines to make sure that we encourage reports.</p>
<li>Please provide detailed, reproducible steps to construct the vulnerability.</li>
<li>When we receive multiple reports for the same issue, we will not necessarily be able to respond to all reports but will respond to the first report received. </li>
<li>If a single underlying problem causes multiple vulnerabilities, we will consider that a single vulnerability.</li>
<li>Any social engineering (e.g.
phishing) is prohibited.</li>
<li>During your investigations make a reasonable effort to avoid:</li>
<li>destruction of data</li>
<li>interruption or degradation of our service</li>
<li>Only interact with accounts you own or with the explicit permission of the owner.</li>
Recognition and Reward
<p>We will recognize those that help us here and, in some cases, provide a modest reward depending on the scope and severity of the discovered vulnerability. .
A report must be the first report we receive for a specific issue to be eligible.</p>
Out of scope vulnerabilities
<strong>When reporting vulnerabilities, please consider both the attack scenario and the security impact of the bug.
The following issues are not in scope:</strong>
<li>Exposing Session Tokens in URLs without proof of exploitability.</li>
<li>Clickjacking on pages with no sensitive actions</li>
<li>Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions</li>
<li>Attacks requiring MITM or physical access to a user's device.</li>
<li>Previously known vulnerable libraries without a working Proof of Concept.</li>
<li>Comma Separated Values (CSV) injection without demonstrating a vulnerability.</li>
<li>Missing best practices in SSL/TLS configuration.</li>
<li>Any activity that could lead to the disruption of our service (DoS).</li>
<li>Content spoofing and text injection issues without showing a code execution attack vector</li>
<li>Rate limiting or brute force issues on non-authentication endpoints</li>
<li>Missing best practices in Content Security Policy.</li>
<li>Missing HttpOnly or Secure flags on cookies</li>
<li>Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)</li>
<li>Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]</li>
<li>Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g.
stack traces, application, or server errors).</li>
<li>Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.</li>
<li>Open redirect - unless an additional security impact can be demonstrated</li>
<li>Issues that require unlikely user interaction</li>
<p>Any activities conducted in a manner consistent with this policy will be considered authorized conduct.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.</p>
<p>Reports can be submitted to email@example.com</p>
<p>Thank you for helping keep our users safe!</p>
<p>We would like to thank the following for helping to improve the safety and security of our community:</p>
<li>Cameron Dawe and Spam404</li>
<li>Agung Saputra Ch Lages</li>
<li>Mahmoud Osama from Secare.io </li>
<li>Nitin Gavhane </li>
</ul> Was this article helpful? <small> 31 out of 43 found this helpful </small> Have more questions? Submit a request Return to top Related articles <ul>
<li> Privacy </li>
<li> Attribution </li>
<li> Community guidelines </li>
<li> Contact </li>