Program Details
Thank you for your interest in the Chameleon Security Disclosure bounty program! We are grateful for your help in making our platform as secure as possible.
External security testing is an important part of the process and makes Chameleon a safer platform. We are committed to working with researchers to verify, reproduce and respond to legitimate reported security vulnerabilities.
We pay bounties to unique (unreported) disclosures. The amount varies due to how severe the issue has been determined to be. If a bounty is rewarded, it will be paid out through Paypal.
Submit a vulnerability with this form
Response
Someone from our security team will be in contact with you via email, in the next few days to confirm that we have received your report. After the report has been reviewed, you will receive an email detailing our findings, as well as if your report is unique -- therefore qualifying for a bounty. We are constantly receiving reports, so it may take us a few days to review your case. Thank you for your patience in advance.
If a vulnerability is reported to our bug bounty program that affects a third-party, Chameleon reserves the right to forward the details of the issue to that third party without informing the researcher. We will try to communicate throughout the process as best we can.
Reporting
When submitting a vulnerability, be sure to add any screenshots, URLs or code that are specifically applicable to the vulnerability, how it's used and most importantly, how to reproduce it. Please also include any step by step description of your findings.
Responsible Disclosure Guidelines
We will investigate received reports and make every effort to correct vulnerabilities quickly. To encourage responsible reporting, we will not take legal action against you provided that you comply with the following Responsible Disclosure Guidelines and other rules of this program:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- In cases where potential data modification is possible, contact: security@trychameleon.com and we will work with you to reproduce the vulnerability in a safe environment.
Exceptions - Issues outside the scope of this program
- Broad security concepts without specific information pertaining to Chameleon or our platform
- Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site
- Internal IP address disclosure
- Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc)
- Social engineering or phishing attacks
- Self XSS
- Text injection
- Email spoofing (including SPF, DKIM, DMARC)
- Fingerprinting/banner disclosure on common or public services
- Clickjacking and issues only exploitable through clickjacking
- CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
- Lack of rate limiting or other missing DOS protections
- HTTPS mixed content scripts
- Missing HTTP security headers
- Denial of Service attacks
- Lack of MFA
- Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)