Report a Potential Security Issue

Responsible Disclosure For Better Detection

ThreatQuotient is committed to the privacy and security of our users and staff as core values. We believe responsible disclosure of security vulnerabilities reported by independent researchers can be an integral part of this commitment with the appropriate trust, transparency and respect.

Submission Policy

guidelines

We require that all researchers:

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction of data during security testing

Perform research only within the scope set out below

Use the identified communication channels to report vulnerability information to us

Treat information regarding any vulnerabilities you have discovered confidential between yourself and ThreatQuotient

If you follow these guidelines when reporting an issue to us, we commit to:

Not pursue or support any legal action related to your specific research related to the disclosed vulnerabilities

Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission)

Recognize your contributions on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

IN SCOPE TARGETS

*.threatq.com

ThreatQ Platform

ThreatQ Applications

IN SCOPE VULNERABILITIES

SQL Injection

Cross-site Scripting (XSS)

Significant Authentication Bypass

Access Control Issues (Insecure Direct Object Reference issues, etc)

Cross-site Request Forgery in Critical Action

Information disclosure of Sensitive Information

Server-Side Request Forgery (SSRF)

Server-side Remote Code Execution (RCE)

XML External Entity Attacks (XXE)

Exposed Administrative Panels that don’t require login credentials

Directory Traversal Issues

Local File Disclosure (LFD)

Server Side Template Injection (SSTI)

OUT OF SCOPE VULNERABILITIES

In the interest of safety and legality for all relevant parties, the following test types are excluded from scope:

Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit

Findings from physical testing such as office access (e.g. open doors, tailgating)

Findings derived primarily from social engineering (e.g. phishing, vishing)

Findings from applications or systems not listed in the ‘Scope’ section

Network level Denial of Service (DoS/DDoS) vulnerabilities

Third-party applications, websites, or services that integrate with or link to ThreatQuotient

Content Injection issues

Most Brute Forcing Issues

Issues that require physical access to a victim’s computer

Independent Researcher
Wall of Fame

2024

Dawid Golak

2022

Mr. Hamza

2022

Girish B O

2021

Vedant Shinde

2021

Nikhil Rane

2020

Daniel Kalinowski

Submit Security Issue