Security
Security is at the heart of mCaptcha. If you find any discrepancies in our software(see listing on our GitHub, -services available at
Rules:
Before you start
Check the list of domains that are in scope for the Bug Bounty program -and the list of targets for useful information for getting started.
Check the list of bugs that have been classified as ineligible.
Check our changelog(on our GitHub repositories) for recently launched features.
Never attempt non-technical attacks such as social engineering, +services available)
Rules:
Before you start
Check the list of domains that are in scope for security research +and the list of targets for useful information for getting started.
Check the list of bugs that have been classified as ineligible.
Check our changelog(in our GitHub repositories) for recently launched +features.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, contact me(@realaravinth) at realaravinth@batense.net.
Performing your research
Do not impact other users with your testing, this includes testing vulnerabilities with CAPTCHA credentials and account credentials -organizations you do not own. If you are attempting to find an +of accounts you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
The following are never allowed for research. We may suspend your mCaptcha account for:
Performing distributed denial of service (DDoS) or other volumetric -attacks. Sure, we are a DDos protection company, but with sufficient +attacks. Sure, we are a DDoS protection organisation, but with sufficient resources and motivation, it is possible to take us down. For this -reason, we request you to not hammer us.
Spamming content Large-scale vulnerability scanners, scrapers, or +reason, we request you to not hurt us.
Spamming content Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.
Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.
Researching denial-of-service attacks is allowed only if you follow these rules:
There are no limits for researching denial of service -vulnerabilities against your own instance of mCaptcha server.
We strongly recommend/prefer this method for researching -denial of service issues.
If you choose to test on mCaptcha proper (i.e. +vulnerabilities against your own instance of mCaptcha server. We +strongly recommend/prefer this method for researching denial of +service issues.
If you choose to test on mCaptcha proper (i.e. https://mcaptcha.org or https://mcaptcha.io):
- Research must be performed using credentials you own.
- Stop immediately if you believe you have affected the availability of our services. Don’t worry about demonstrating the full impact of your vulnerability, our team @@ -35,20 +37,20 @@ containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. We may ask you for the usernames and IP addresses used during your testing to assess the impact of the -vulnerability.
Reporting your vulnerability
Please include written instructions for reproducing the -vulnerability.
When reporting vulnerabilities you must keep all information on in our -email correspondence. Do not post information to video-sharing or -pastebin sites.
For vulnerabilities involving personally identifiable information, +vulnerability.
Reporting your vulnerability
Reports must include written instructions for reproducing the +vulnerability.
When reporting vulnerabilities you must keep all information on +restricted to email correspondence with us. Do not post information to +video-sharing or pastebin sites.
For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your bug report. For textual information and screenshots, please only include redacted data in your bug report.
During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has -been publicly made available.
Legal safe harbor:
We currently don’t have any legal policies in place but you can rest -assured that as long as your research adheres to the above rules, your -security research and vulnerability disclosure activities are considered -as “authorized”.
A detailed policy based on this sentiment is in the works.
Scope:
mCaptcha runs a number of services. Only domains listed below are are +been publicly made available.
Legal safe harbor:
We currently don’t have any legal policies in place but rest assured +that as long as your research adheres to the above rules, your security +research and vulnerability disclosure activities are considered as +“authorized”.
A detailed policy based on this sentiment is in the works.
Scope:
mCaptcha runs a number of services. Only domains listed below are are eligible for security research. Any mCaptcha-owned domains not listed below are not in scope and are not covered by our legal safe harbor
mcaptcha.org
- mcaptcha.org
- demo.mcaptcha.org
- demo2.mcaptcha.org
mcaptcha.io
- mcaptcha.io