PD/ONE : Vulnerability Reporting Program
"I'm only human. Of flesh and blood, I'm made... Born to make mistakes."
- Human, The Human League, 1986
Practical Data embraces the idea that we all human. Mistakes will be made, but we can
rely on each other to make the world a better place. Our vulnerability reporting program provides a path for
security researchers and freelancers to report issues and potentially receive a reward for their
contribution to the ongoing security of our services.
How we Classify and Prioritize
Practical Data uses Bugcrowd's Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy)
as our initial guide for prioritizing and classifying vulnerabilities. Please note that this is used as
guide for classification, but our team will ultimately determine the priority and severity of any reported issues.
How to Submit a Report
Please email us at "[email protected]"
Sites Running PD/ONE Services
Many sites/domains use our PD/ONE services. Reports relating to the security of any of our services running on those sites should be reported here. You may have reached this page after being referred
by a site (domain) that uses our software. Please work directly with us to report your vulnerability.
In the event that the reported vulnerability is not related to our software, we will refer the issue to the site in question so that they can handle it or refer it to the correct partner.
To be eligible, you must provide a demonstrable security issue with example code to reproduce the issue.
Qualifying issues include:
- Cross Site Scripting Exploits
- Authentication issues
- SQL injection or similar attacks
- Other security issues that are within our control to mitigate
Issues that do not qualify include:
- Bugs that require phishing, email spoofing, clicking on misspelled URLs or other deception that we are unable to reasonably mitigate.
- Security issues that have previously been reported or are already known to our team.
- DDoS or other attacks that would impact our systems.
Rules (for you)
- Do not make a bug public before it has been fixed.
- Do not attempt to gain access to another user's account or data. (Only test using your own test accounts.)
- Don't perform any attack that could impact the performance or reliability of our system. DDoS and spamming attacks are prohibited.
- Do not use automated tools to scan our software looking for vulnerabilities. (We have enough real traffic as it is.)
- Be professional and respect our final decisions.
Rules (for us)
- We will acknowledge your reports and respond within reasonable timeframes.
- We will keep you updated on our process as we work to verify and fix your reported vulnerability.
- We will not take legal action against you if you follow the rules of the program and act in good faith.
Based on the severity of the bug (based on our sole discretion), we offer the following rewards:
Severity P1: $600
- Examples: SQL Injection, unrestricted access to database, filesystems and other infrastructure,
bypass of significant security controls, remote code execution, etc.
Severity P2: $250
- Examples: Discovery of hardcoded password or other backdoor, account takeover, cross-site-scripting
privilege escalation, etc.
Severity P3: $100
- Examples: Cross-Site Scripting (XSS), Sensitive Data Exposure, etc.
Severity P4 & P5: A heartfelt "thank you" and potentially some reward if our team thinks it is warranted.
- Examples: Lack of Password Confirmation, No Rate Limiting on form, Missing secure or HTTPOnly Cookie Flag.