TMG Security’s Responsible Disclosure Policy
We constantly strive to make our systems safe for our customers to use. However, if in the rare case a security researcher or member of the general public discovers a security vulnerability in our systems and responsibly shares the details with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge your contributions publicly.
- E-mail your findings to [email protected] . Please share your contact information with your mobile number.
- Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.
- https://tmgsec.com
- https://courses.tmgsec.com
Note – Any subdomain or asset owned by TMG Security other than the two mentioned above is out of scope and is not eligible for any reward.
out of scope are trivial vulnerabilities or bugs that cannot be abused. The following is a non-exhaustive list of examples of these vulnerabilities:
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
- Automation Scanner Vulnerabilities / CVE’s
- Fingerprint and other ways to versions are disclosed on common/public services.
- Disclosure of known public files or directories or non-sensitive information, (e.g. directories set up for downloads).
- Clickjacking and issues only exploitable through clickjacking.
- Login / Logout CSRF
- Open Redirect – Unless it’s escalated to another severe issue.
- Lack of Secure / HTTP Only flags on non-sensitive Cookies.
- OPTIONS HTTP method enabled.
- Weak Password Vulnerability
- WordPress Vulnerabilities
- Anything related to HTTP security headers, e.g.:
- Strict-Transport-Security.
- X-Frame-Options.
- X-XSS-Protection.
- X-Content-Type-Options.
- Content-Security-Policy.
- SSL Configuration Issues:
- SSL forward secrecy not enabled.
- weak / insecure cipher suites.
- SPF, DKIM, DMARC issues.
- Reporting older versions of any software without proof of concept or working exploit.
- Systems and protocols that can be used in DDoS or DoS attacks.
Also, reports that can be considered a beg bounty will not be processed nor responded to.
Rules of engagement
If you think you’ve identified a vulnerability, we’d also very much appreciate it if you:
- Don’t exploit your finding.
- Share the information with just us, not other parties.
- Give us time to analyze the situation and fix the bug.