Company Name: Vulnerability-Lab
Program Type: Responsible Disclosure Program
Official Website: https://www.vulnerability-lab.com
Social Network: https://twitter.com/vuln_lab
Contact: Email Address
PGP KEY: Public PGP Key
Guidelines of the Security Program
This disclosure program is limited to security vulnerabilities in web applications owned by Vulnerability Labs. All vulnerabilities and bugs affecting vulnerability lab products (web-application, database management system & web engine), or service solutions should be reported via email to the vulnerability-laboratory core research team.
Eligible Security Bugs & Vulnerabilities (In Scope)
We encourage the coordinated disclosure of the following eligible web application vulnerabilities and bugs:
- Cross Site Scripting
- Server-Side Code Execution
- Authentication or Authorization Flaws
- Directory Traversal
- SQL Injection Vulnerabilities
- Information Disclosure
- Significant Security Misconfiguration
To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
Security Program Exclusions (Out of Scope)
While we encourage any submission affecting the security of a Vulnerability Laboratory web property, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:
- Cross Site Request Forgery
- Self XSS
- Layer Transmission Issues
- Content spoofing or Text Injection
- Missing http security headers
- Missing cookie flags on non-sensitive cookies
- Password and recovery policies, such as reset link expiration or password complexity
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- SSL/TLS best practices
- Clickjacking/UI Redressing
- Software version or Banner Flag disclosure
- Username / Email / Account enumeration
- Bruteforce attacks
Validation Process of Security Vulnerabilities & Bugs
All submissions will be reviewed, verified and validated by an employee of the Vulnerability Laboratory Core Research Team. It is required to clear and concise steps to reproduce an issue or vulnerability.
Rules of Security Program
Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information. Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own. Please contact us directly to report security incidents such as customer data leakage or breach of infrastructure.
Communication Encryption with PGP
Please use the public pgp key of the bug bounty program manufacturer to communicate with secure encryption for exchange of zero-day vulnerabilities or bugs. The usage of the pgp key
is no requirement to participate in the official bug bounty program. We recommend to use the pgp encryption (windows
) for the exchange of unknown vulnerabilities.
Copyrights, Permission & Trademarks
All pictures, texts, advisories, sourcecodes, ressources, videos and other information of the vulnerability lab website is trademark of the evolution security gmbh company & the specific authors, manufacturer or manager team. To record, public list(feed/auto), modify, public demo usage, copy or edit our material contact the administrators or managers of the program to get a permission.