We welcome reports from security researchers and experts about possible security vulnerabilities with our service. We're particularly interested in hearing about vulnerabilities that impact the confidentiality or integrity of user information or systems, and have the potential to impact a large number of people.
Reports must be about app.geckoboard.com exclusively. www.geckoboard.com and other static Geckoboard pages are out of scope.
Geckoboard may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities. Our reward for vulnerabilities deemed low is a t-shirt (we are currently unable to ship to India, Pakistan, Sri Lanka, Nepal, Bangladesh, the Philippines and the United Arab Emirates) and our reward for vulnerabilities deemed as medium or high is up to US$500 (a value between US$0 and US$500). The following table outlines the categories that will result from our evaluation (our adaption of Cobalt's best practices).
|Declined||False positives and/or very minor criticality that won't necessarily result in a change of code|
|Duplicate||Same report has been made before or we are aware of the issue from any other source|
|Low||Vulnerabilities like insecure cookies, clickjacking or insufficient password complexity are generally of low criticality as they are dependant of other issues and cannot be exploited by themselves.|
|Medium||Cross-site request forgery (XSRF or CSRF) vulnerabilities or those that might result in the changing of users data.|
|High||Vulnerabilities of high criticality are those that would result in bypassing authentication. An example of a high critical vulnerability is a successful SQL-injection that could be used to read data, delete users, or other kinds of database modifications.|
If you believe you've have found a security vulnerability on Geckoboard, we encourage you to let us know straight away. We will investigate all legitimate reports, evaluate them, and do our best to quickly fix the problem if applicable.
Before reporting though, please review this article, including our responsible disclosure policy. Geckoboard pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.
If you're looking to report another type of issue, please submit a request.
How to report security vulnerabilities
Please do not publicly disclose these details without express written consent from Geckoboard.
In reporting any suspected vulnerabilities, please include the following information:
1) Proof of Concept: vulnerability details, with information to allow us to efficiently reproduce your steps.
- Write a detailed but easy to understand description of the
- Write a detailed but easy to understand threat scenario or impact
- Provide a visual representation of your workflow to exploit the vulnerability. This can be screenshots or video.
2) Your email address.
Send the report to firstname.lastname@example.org