ReadMe

ReadMe Documentation

Welcome to the ReadMe Documentation, where you'll find comprehensive guides and community support to help you start working with ReadMe as quickly as possible!

Get Started

Bug Bounty Program

Submitting a bug

All bugs can be submitted to security@readme.io

Note before you submit a bug

  • Provide details of the vulnerability including information needed to reproduce and validate the vulnerability and also provide a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give us a reasonable time to correct the issue before making any information public
  • We would also request you not to consider any social engineering or denial of service type of attack in the scope of white hat testing

Domains and Applications within the scope of the program

  • Any subdomain for *.readme.io

Rewards

  • Bounty will be awarded at the discretion of Bug Bounty Panel
  • Only one bounty per security bug will be awarded and previously reported vulnerabilities will not be rewarded
  • If you choose to donate the bounty to a recognized charity, we will match your donation (subject to our discretion) so that the charity gets double the bounty amount.
  • Rewards are paid only to individuals.
  • Rewards that go unclaimed after 3 months will be invalid
  • Individuals who are on sanctions list and who are in countries on sanctioned list are not eligible

Qualifying Vulnerabilities

  • Injection attacks
  • Cross-Site Scripting (XSS) (excluding files.readme.io, since it's not vulnerable because we allow anyone to sign up and write JavaScript on any subdomain anyway)
  • Remote Code Execution (RCE)
  • Cross-Site Request Forgery (CSRF)
  • Broken Authentication
  • Authorization Flaws / Privilege Escalation
  • Directory Traversal
  • Sensitive Information leaks or disclosure

Non Qualifying Vulnerabilities

  • Self XSS
  • Username or email address enumeration
  • Content spoofing / Text injection
  • XSS vulnerabilities on sandbox domains
  • Unvalidated / Open Redirects
  • Clickjacking on unauthenticated pages or on cases with no state-changing action
  • Login/Logout/Unauthenticated CSRF
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Attacks requiring physical access to a user device
  • Social engineering
  • Low impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DMARC records
  • Password and account policies, such as reset link expiration or password complexity
  • HTML Injection

Bug Bounty Program


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.