Bug Reports & Security
Found something broken or a security issue? We want to hear about it. Whether it's a UI glitch, broken feature, or security vulnerability - your reports help us improve gitGood.dev for everyone.
Report a Bug
If you've found a bug - something not working as expected, a broken feature, UI issues, or any other problem - please let us know. Include as much detail as possible: what you were doing, what you expected to happen, and what actually happened.
Security Vulnerability Bounty
For security vulnerabilities, we run a bug bounty program. Valid reports are rewarded with a free month of gitGood.dev Premium, an exclusive Bug Hunter badge on your profile, and public recognition (with your permission). Reports on the following classes of vulnerability are eligible:
- Arbitrary code execution
- SQL injection
- Privilege escalation (from unauthenticated user or to admin users)
- Authentication bypass for login
- Circumvention of permission model for apps or admin users
- Cross-site request forgery
- Cross-site scripting - See the next section for limitations
Known Issues or Excluded Vulnerabilities
The following reports are not considered as vulnerabilities or are not subject of this bug bounty program. Please do not report any of the following issues:
- Any issue where staff users are able to insert JavaScript in their content
- Any issue related to execution of JavaScript in the Rich Text Editor
- Cross-site scripting that requires full control of a HTTP header, such as Referer, Host etc.
- Arbitrary file upload to the CDN server
- Insecure cookie handling for non-sensitive cookies
- Incorrect/No cookie expiration
- CSRF for Login, Logout and Signup pages
- Issues with the SPF, DKIM or DMARC records for gitGood.dev domains or mail system abuse
- User enumeration
- Missing "X-Content-Type-Options" HTTP header with nosniff value
- Content Spoofing on error and restore password page
- Any kind of brute force attacks on our services
Ineligible Vulnerability Types
gitGood.dev does not consider the following to be eligible vulnerabilities under this program:
- Denial of Service
- Social Engineering, including phishing
- Failure to implement security best practices such as rate limiting, minimum password strength
- Any issue that can only be exploited by physical access to someone's device or debug access being enabled, or that depends on a vulnerability in the operating system
- Architectural decisions knowingly made by gitGood.dev are not considered as valid submissions even if there may be a more secure alternative configuration
Rules for Participation
The following rules must be followed in order to get any rewards:
- Don't attempt to gain access to another user's account or data
- Don't perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed
- Don't publicly disclose a bug before it has been fixed
- Allow a reasonable amount of time for gitGood.dev to respond to your vulnerability report before publishing details of your exploit
- Only test for vulnerabilities on sites you know to be operated by gitGood.dev
- Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your gitGood.dev account and ban your IP address if you do so
- Don't use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your gitGood.dev account and ban your IP address
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
Rules for Us
- We will respond as quickly as possible to your submission
- We will keep you updated as we work to fix the bug you submitted
- We will not take legal action against you if you play by the rules
Contact
For bug reports and security vulnerability submissions, please use the form at the top of this page.
For security issues, please allow us reasonable time to address the vulnerability before public disclosure.