About Us
Policies
Bug Reports

ForestRacks Bug Report Guide

This guide constitutes the bug report program for Forest Racks LLC d/b/a ForestRacks (hereinafter "ForestRacks," "we," "us," or "our")

Important Note: ForestRacks does not pay ransoms under any circumstances. We do, however, offer rewards for responsible disclosure of vulnerabilities in our software. Please read this guide carefully to understand our program's guidelines, scope, and rewards.

Bug Bounty Rewards

We value the contributions of security researchers and ethical hackers who responsibly disclose vulnerabilities. While we do not pay ransoms, we do offer monetary rewards for responsible disclosure. The amount of the reward will be determined based on the severity of the reported vulnerability and its potential impact. Rewards may range from $10 to $1,000.

Eligibility for Rewards

To be eligible for a reward, you must:

  • Discover a previously unknown vulnerability in software ForestRacks created. If you have questions about whether or not something is made by us, please contact our security team.
  • Report the vulnerability promptly and responsibly following our disclosure guidelines.
  • Avoid disclosing the vulnerability publicly before it has been resolved and you receive our approval to disclose it.
  • Provide a detailed report that includes clear steps to reproduce the issue.

The final decision on reward amounts will be made by ForestRacks, taking into account the severity, impact, and quality of the report.

Scope

In Scope

The following are in scope for our bug bounty program:

  • Web Applications: Vulnerabilities within our web applications, including but not limited to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, and Remote Code Execution.
  • APIs: Security vulnerabilities in our APIs.
  • Authentication: Issues related to authentication mechanisms.
  • Server Configuration: Misconfigurations and vulnerabilities on our servers.
  • Software: Vulnerabilities in our proprietary software.

Out of Scope

The following are out of scope for our bug bounty program:

  • Customer data (Personal information, payment data, and any other sensitive customer information)
  • Third-Party vulnerabilities (Whether or not we use them)
  • MFA issues
  • WAF bypass
  • Open redirects / Lack of security speedbump when leaving the site
  • Internal domain/IP address disclosure
  • Accessible Non-sensitive files and directories (e.g. README.md, CHANGES.md, robots.txt, .gitignore, WSDL, pprof, etc.)
  • Social engineering / phishing attacks
  • Self XSS
  • Text injection
  • Email spoofing (including SPF, DKIM, DMARC, From: spoofing, and visually similar, and related issues)
  • Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)
  • Fingerprinting/banner disclosure on common/public services
  • Clickjacking and issues only exploitable through clickjacking
  • CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
  • Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope)
  • Lack of rate limiting
  • Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements
  • HTTPS mixed content scripts
  • Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password)
  • Missing HTTP security headers
  • TLS/SSL issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
  • Denial of Service attacks
  • Out-of-date software or protocols
  • Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)
  • Physical attacks against ForestRacks's Facilities / Property
  • Hardware vulnerabilities
  • Forgotten domains/subdomains

Responsible Disclosure

We expect all researchers to follow responsible disclosure practices. This means you should:

  • Report vulnerabilities to us promptly and privately via our designated communication channels.
  • Provide clear and detailed information about the vulnerability.
  • Allow us a reasonable amount of time to assess and remediate the issue before disclosing it publicly.

How to Report a Vulnerability

To report a vulnerability, please send an email to [email protected] with the subject line "Bug Bounty Submission." Include the following information in your report:

  • Description of the vulnerability.
  • Steps to reproduce the issue.
  • Any relevant screenshots, videos, or proof-of-concept code.
  • Your contact information for communication and reward distribution.

Legal

Participation in our bug report program is subject to the following terms:

  • We will not take legal action against you if you follow responsible disclosure guidelines.
  • We expect you to respect the privacy and security of our customers and their data.
  • ForestRacks is not responsible for any tax implications that may result from receiving a reward.
  • Bug Bounty rewards are at the sole discretion of ForestRacks. ForestRacks may decline a reward for any reason.
  • ForestRacks reserves the right to modify or cancel the program at any time.

Thank you for helping us make ForestRacks more secure. We appreciate your efforts in keeping our software and infrastructure safe for our customers.

Happy hunting!

Contact UsDiscord Customer Role