Bug Bounty and Security Reporting Terms

Dated: November 12, 2019

Cronometer is committed to keeping our service and our users secure, and we appreciate the insights of independent security researchers that make our products safer. If you become aware of any security issues (aka bugs) in the Cronometer web-based service or iPhone or Android apps, you can bring them to our attention at security@cronometer.com.

Keeping Data Safe

The privacy of our customers’ data is our priority. You may test security issues against your own user account or unique test accounts that you create, but accessing other users’ accounts or data is strictly prohibited. Your research activity must not harm other users. Never exfiltrate or change data on our systems. If you accidentally encounter user data, please inform us immediately. Do not conduct testing that affects the general availability of Cronometer, such as DDOS.

Safe Harbor

As long as you follow these terms, we will consider your research activity authorized and will not initiate legal action against you regarding that research activity under applicable anti-hacking laws.

Rewards

Cronometer does not promise any reward in exchange for reports of security issues. In some circumstances, and at Cronometer’s sole discretion, Cronometer may decide to provide a reward to independent security researchers who provide us with a report of an issue that we can reproduce, that has an impact, and that leads to system improvements. We will not negotiate rewards under duress, and consider attempts to do so to be a violation of this policy.

Communication and Disclosure

We will make every effort to respond to security reports within a few days, but please be patient. If you would like to conduct a coordinated disclosure, please let us know so we can discuss. Public disclosure is not allowed until and unless Cronometer has explicitly said so. Some security issues may not be eligible for disclosure, at our discretion.

Additional Terms

In limited circumstances, Cronometer may require additional information or cooperation from you, including additional terms, in connection with processing bug reports and ensuring data protection. Please be prepared to provide additional information and cooperation when requested. All other terms of Cronometer services apply unless explicitly addressed here. We reserve the right to change the terms of this program at any time and at Cronometer’s sole discretion.

Out of Scope
The following areas/issues are considered out of scope and not eligible for a bounty.

  • Login and logout CSRF.
  • Rate limiting
  • Email spoofing / SPF/DKIM/DMARC policies
  • User enumeration
  • Password Policies
  • Missing HTTP security headers
  • Clickjacking with no practical security impact
  • DDOS of blog/wordpress