SniffIt — Responsible Disclosure

1. Our promise to researchers

SniffIt treats security reports as a first-class signal. When you report a vulnerability in good faith, we commit to:

Respond within 2 business days.
Triage and confirm within 5 business days.
Remediate based on severity (see SLAs below).
Credit you publicly, or privately if you prefer.
Not pursue legal action against good-faith research that follows this policy.

2. In scope

The following assets are within scope for this program:

*.sniffit.app — marketing, dashboard, API
The SniffIt Chrome / Edge / Brave extension
First-party backend infrastructure (APIs, auth, scoring endpoints)

3. Out of scope

Please don't test these — reports will be closed as out-of-scope.

Denial-of-service, rate-limit testing, or volumetric attacks.
Social engineering of staff, contractors, or users.
Physical attacks against offices or hardware.
Third-party services, merchant sites, or marketplaces that SniffIt scores.
Findings from automated scanners without a working proof of concept.
Missing best-practice headers (HSTS, CSP) without a demonstrable impact.
Self-XSS or issues that require a fully-compromised browser.
Reports of outdated software without a known exploit affecting our configuration.

4. Rules of engagement

Use test accounts you create yourself; never access another user's data.
Stop as soon as you confirm the vulnerability — don't exfiltrate data.
Don't publicly disclose before we've had a chance to fix (coordinated disclosure).
Don't hold findings for ransom. Extortion disqualifies the report and voids safe harbor.

5. How to report

Email [email protected]. For high-severity findings, please encrypt with the PGP key below.

A good report includes:

A clear title and summary of the issue.
Affected asset (URL, extension version, endpoint).
Step-by-step reproduction instructions.
A proof-of-concept (video, cURL, or script).
Suspected impact and suggested severity.

Subject: [SEC] Stored XSS in dashboard profile settings
Asset:  https://app.sniffit.app/settings/profile
Impact: Executes arbitrary JS in victim's session
Steps:
  1. Log in and navigate to /settings/profile
  2. Set display name to: <img src=x onerror=alert(1)>
  3. Save, then view the profile as another user
Expected: HTML escaping
Actual:   payload executes on render

6. Severity & rewards

We base severity on CVSS 3.1 plus real-world impact. Rewards scale with severity and quality of the report. Duplicates are paid for the first valid submission only.

Critical

$500 – $1,500

RCE, auth bypass, mass PII exposure

High

$200 – $500

Account takeover, stored XSS, privilege escalation

Medium

$75 – $200

IDOR on low-risk resources, reflected XSS, CSRF

Low

$25 – $75

Swag / Hall of Fame credit, minor misconfigurations

7. Response SLAs

First response: within 2 business days.
Triage / confirmation: within 5 business days.
Critical fix: deployed within 7 days of confirmation.
High fix: within 30 days.
Medium / Low fix: within 90 days.
Public disclosure: coordinated with you, typically 90 days after fix deploy.

8. Safe harbor

We will not pursue civil or criminal action against researchers acting in good faith under this policy. Activity consistent with this policy is considered authorized, and we will work with you to understand and resolve the issue quickly.

If legal action is initiated by a third party against you for research conducted in compliance with this policy, we'll make it known that your activities were authorized.

9. Hall of fame

With your permission, we publicly credit every researcher who reports a confirmed, in-scope vulnerability. If you'd rather stay anonymous, just say the word.

Recent credits: coming soon — be the first.

10. PGP key

For encrypting sensitive reports:

Fingerprint: A91F 4C0E 22B8 77D1 6E94 B3AA 58F2 0D1C 9E3F 42A6
Key: security-pubkey.asc

Questions about the program: [email protected]. Thank you for helping keep SniffIt safe.