ProZ.com bug bounty disclosure program

The software security research community makes the web a better, safer place. ProZ.com supports their bug-hunting efforts with a bounty program.

To report a vulnerability, please email the ProZ.com team at security@proz.com. Be sure to include "bug bounty disclosure" in the subject line.

Qualifying vulnerabilities

The following domains and apps are within the scope of the program:

  • *.proz.com
  • *.tm-town.com
  • ProZ.com Mobile for iOS
  • ProZ.com Mobile for Android

To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Official ProZ.com mobile apps or API flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations

NOT XSS (usually): Experience has shown that reports of cross-site scripting (XSS) vulnerabilities are often NOT ELIGIBLE for bounty payments because they do not support an actual exploit in ProZ.com's environment. If you found an XSS vulnerability please send it in, but time might be better spent looking for  qualifying vulnerabilities listed above.

Rules for eligibility

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of ProZ.com services or data. DDoS/spam attacks are not allowed.
  • Only test for vulnerabilities on sites or apps you know are operated by ProZ.com. Some sites hosted on subdomains of ProZ.com are operated by third parties and should not be tested.
  • Do not impact other users with your testing. This includes testing for vulnerabilities in accounts you do not own. 
  • Don’t use scanners or automated tools to find vulnerabilities. 
  • No non-technical attacks such as social engineering, phishing, or physical attacks against ProZ.com employees, users, or infrastructure.
  • The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
  • When in doubt, contact ProZ.com staff at security@proz.com.

 

ProZ.com staff will respond as quickly as possible to your submission, and will keep you updated as the bug is verified and fixed.

 

Note:

ProZ.com deals only with principals, not vulnerability brokers. If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you may not be eligible to participate in this program. ProZ.com staff will make the final decision on bug eligibility and value. This program exists entirely at the discretion of the owner of ProZ.com and may be modified or canceled at any time. Any changes made to this program's terms do not apply retroactively. Thank you for helping to make ProZ.com more secure.

___________________________________________

Serving the world's largest community of translators, ProZ.com delivers a comprehensive network of essential services, resources and experiences that enhance the lives of its members.

Learn more »

ProZ.com Headquarters

+1 (315) 463-7323

P.O. Box 903
Syracuse, NY 13201