Responsible disclosure

Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we'll thank you with a place at our hall of fame page.

We encourage anyone to report security issues to

A graphic of a megaphone

Who can participate in the program?

Anyone who doesn't work for Detectify or partners of Detectify who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval added to the Detectify Hall of Fame.

How should reports be formatted?

We would like you to format your reports like this:

Name: %name  
Twitter: %twitter  
Bug type: %bugtype  
Domain: %domain  
Severity: %severity  
URL: %url  
PoC: %poc  
CVSS (optional): %cvss  
CWSS (optional): %cwss 

Which domains are in scope?

The domain and any subdomain except for these:

If you can however prove that a bug under these domains have significant impact (for example fetching content on from, a bug on these domains may qualify anyway.

What bugs are eligible?

Any typical web security bugs such as:

Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution

What bugs are NOT eligible?

Typical “no impact” bugs such as:

Missing Cookie flags on non-session cookies or 3rd party cookies
Logout CSRF
Social engineering
Denial of service
Email spoofing, SPF, DMARC & DKIM.

Other guidelines

Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.

Detectify reserves the rights to discontinue the reward program without previous notice at any time.