Responsible Disclosure Policy

If you found a security vulnerability on any bug bounty program presented on this platform, we highly encourage you to let us know, by privately disclosing theses informations using our platform.
We consider the data privacy our highest priority.
To make sure we and the company fully understand the reported vulnerability, please include as much information in your description as possible, and list a way to reproduce the issue in your email.

Do not make your research or findings public or share them with third parties, before the company deploy a fix for the reported vulnerabilities.

Upon receipt of your report we will send you a confirmation within 48 hours on a business day. Please allow a reasonable time for us to investigate your findings and take the appropriate measures. Always ensure to act in good faith towards our customers’ data and avoid any privacy violations in the course of your research and disclosure. Crowdsec do not tolerate the unauthorized modification, destruction of users data, interruption or degradation of our customers services.

White hat researchers are obviously welcomed; Crowdsec and company will not take legal action against you or your account as long as you comply with our policy of responsible disclosure.

To participate on any Crowdsec program, you must:

• Adhere to our Responsible Disclosure Policy (above)
• Be the first person to responsibly disclose a vulnerability
• Report anything that could compromise the integrity or the privacy of user data such as:
• Remote Code Execution
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF/XSRF)
• Authentication bypass
• Privacy problem
• Privilege Escalation

Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Our security team will review each bug to determine if it qualifies.