ThreatQuotient is committed to the privacy and security of our users and staff as core values. We believe responsible disclosure of security vulnerabilities reported by independent researchers can be an integral part of this commitment with the appropriate trust, transparency and respect.
guidelines
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction of data during security testing
Perform research only within the scope set out below
Use the identified communication channels to report vulnerability information to us
Treat information regarding any vulnerabilities you have discovered confidential between yourself and ThreatQuotient
Not pursue or support any legal action related to your specific research related to the disclosed vulnerabilities
Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission)
Recognize your contributions on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
IN SCOPE TARGETS
*.threatq.com
ThreatQ Platform
ThreatQ Applications
IN SCOPE VULNERABILITIES
SQL Injection
Cross-site Scripting (XSS)
Significant Authentication Bypass
Access Control Issues (Insecure Direct Object Reference issues, etc)
Cross-site Request Forgery in Critical Action
Information disclosure of Sensitive Information
Server-Side Request Forgery (SSRF)
Server-side Remote Code Execution (RCE)
XML External Entity Attacks (XXE)
Exposed Administrative Panels that don’t require login credentials
Directory Traversal Issues
Local File Disclosure (LFD)
Server Side Template Injection (SSTI)
OUT OF SCOPE VULNERABILITIES
Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit
Findings from physical testing such as office access (e.g. open doors, tailgating)
Findings derived primarily from social engineering (e.g. phishing, vishing)
Findings from applications or systems not listed in the ‘Scope’ section
Network level Denial of Service (DoS/DDoS) vulnerabilities
Third-party applications, websites, or services that integrate with or link to ThreatQuotient
Content Injection issues
Most Brute Forcing Issues
Issues that require physical access to a victim’s computer
Independent Researcher
Wall of Fame
2024
Dawid Golak
2022
Mr. Hamza
2022
Girish B O
2021
Vedant Shinde
2021
Nikhil Rane
2020
Daniel Kalinowski
Submit Security Issue