将 Crowdin 中含有的漏洞细节通过邮件发送到 support@crowdin.com。 请提供有关此漏洞的全部细节,以便 Crowdin 安全小组验证和复现这个安全问题。
我们代表数以千计的用户感谢以下研究人员帮助 Crowdin 变得更加安全。 查看名人堂
在提交问题时,请提供技术说明,以便我们评估问题的可利用性及其影响。
请在测试或报告漏洞前回顾以下条款。 Crowdin 保证,研究人员只要遵循这些规则,就不会对渗透或试图渗透我们系统的行为采取法律行动。
虽然我们鼓励您发现并向我们负责任的报告任何漏洞,但以下行为是明确禁止的:
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Crowdin security team and associated development organizations will use reasonable efforts to:
Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.
We maintain flexibility with our reward system; rewards are based on severity, impact, and report quality. For example, we can provide you with a coupon to get Crowdin Swag. Depending on what you discover, you may go onto the Crowdin Hall of Fame. If you would rather stay behind an alias (handle) or anonymous, we will of course respect that.
We do have specific things we are (and are not) looking for - so check What are we looking for.
If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be possible.
If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything’s been already previously found, but trust us, we want to be fair.
A reward will not be provided if the finding becomes known by anyone else than you or us, in any way, before it is fixed.
You can always keep tracking of how your issue is progressing. Contact Crowdin Security team for this: support@crowdin.com