Security

Reporting security issues

Keeping customer data safe and secure is a huge responsibility and our top priority. We work hard to protect against the latest threats, so your input and feedback on our security is always appreciated.

Security researchers

We are happy to work with security researchers, you're an important part of keeping the internet a safe place to work. If you discover a flaw in our security that could impact DropInBlog or our users then please let us know by contacting our security team.

Acknowledgement Program

We don’t offer bug bounties. However we acknowledge contributions here on our site.

Only the first researcher to report a specific qualifying issue is eligible for acknowledgement. Whether an issue is a qualifying issue, as well as eligibility for acknowledgement, are decisions taken by us in our discretion.

We reserve the right to cancel this program at any time without notice.

Guidelines

In order to qualify for acknowledgement, please follow these guidelines when reporting issues:

Do not use automated scripts/tools without prior approval and scheduling. We understand the value of automated vulnerability detection scripts and software, but we ask you not to run automated scans of any kind without scheduling it with us in advance.
Only test DropInBlog systems. Systems hosted by third parties do not qualify for acknowledgement.
Please do not share your research or findings publicly until we’ve had time to research and release a fix for the problem.

Vulnerabilities eligible for acknowledgement

Arbitrary redirects
Authentication or authorization flaws
Circumventing of platform and/or privacy permissions
Clickjacking
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Privilege escalation
Server-side code execution (RCE)
SQL injection

Ineligible vulnerabilities

Denial of Service (DoS)
Issues with outdated or unpatched browsers
Minor information disclosures (ex. server software/version)
Spamming
Vulnerabilities in third-party web sites and tools that integrate with DropInBlog
Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible to attack

How to report issues

Report security vulnerabilities to security@dropinblog.com. Provide steps to reproduce the problem in our systems. Providing generic background information about a class of vulnerability without specific details about how our systems are vulnerable does not qualify for acknowledgement.
Expect a followup within 24 hours on business days. We do our best to respond quickly. We take every report seriously, and if you don’t hear back promptly, it doesn’t mean that we’re ignoring it. It means that we didn’t receive it. If you don’t hear back within 24 hours on a business day, please drop us a reminder via our support email address, and we’ll make sure that it hasn’t slipped through the cracks.
Once we’ve received your email, we’ll work with you to make sure that we completely understand the scope of the problem and keep you informed as we work on the solution.

Acknowledgements

We appreciate your help to find and resolve security issues responsibly. The following have worked to help us keep DropInBlog safe and secure for everyone. Thank you.

Shane Gosling

Updated on: 20/01/2022