MetaCTF Logo

MetaCTF Inc.

Vulnerability Disclosure Policy

Last Updated: June 1st, 2021

MetaCTF takes security very seriously and recognizes the importance of community outreach. Our team is committed to addressing reported issues to ensure security of our networks and safety and privacy of our users.

SCOPE

This policy applies to services and applications accessible at the following domains:

  • metactf.com
  • compete.metactf.com

Anything not explicitly defined in-scope above is by default out-of-scope.

GUIDELINES

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not access, impact, modify, or destroy customer data or data that does not belong to you in any way.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

WHAT WE ARE NOT LOOKING FOR

  • Vulnerabilities that have a low security impact including, but not limited to the ones listed here.
  • Network level DoS/DDoS vulnerabilities.
  • Vulnerabilities in resources provided as a part of a competition or in applications that are vulnerable by design. If the vulnerability allows you to obtain remote code execution or take over the machine hosting the challenge, please let us know.

REPORTING

Please send the reports to security@metactf.com.

Please include proof of concept code, how you found the bug, and any plans for public disclosure.

If you identify the same or similar types of issues in multiple locations, please combine those findings into a single submission.

WHAT YOU CAN EXPECT FROM US

Within 3 business days, we will acknowledge that your report has been received.

If the vulnerability has sufficient security impact, needs to be fixed, and requires a code change, we will provide you with an estimated time frame for addressing the vulnerability and notify you when the issue has been resolved.

Reports that only include automated tool output may be ignored.

REWARDS

We maintain flexibility with our reward system, and rewards are based on severity, impact, and report quality. At the moment, we are unable to offer rewards for low-risk submissions and non pre-approved tests. In-kind rewards may be available.

Reports on functional, UI and UX bugs and spelling mistakes are not eligible for rewards.

THIRD-PARTY BUGS

If issues reported to us affect a third-party, MetaCTF reserves the right to forward details of the issue to that party without further discussion with the researcher.

CONTACT

Please send any comments or questions about this policy to security@metactf.com.

AKNOWLEDGMENTS

CISA VDP Template

Tesla Product Security

Arrival Responsible Disclosure Policy

Bugcrowd Standard Disclosure Terms