Ghost Inspector prioritizes security. Keeping our service and user data secure is of paramount importance. With that being the case, we welcome the help of security researchers around the world. Help us improve our service by responsibly reporting vulnerabilities that are uncovered. The information below outlines how we process and reward vulnerabilities that are reported to us.
Ghost Inspector may provide rewards to eligible reporters of qualifying vulnerabilities. Ghost Inspector will determine in its discretion whether a reward should be granted and the amount of the reward. We may choose to pay higher rewards for unusually clever or severe vulnerabilities, and lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. We are appreciative of all responsible reports that are sent our way.
This program applies to all *.ghostinspector.com domains, including the promotional website, application, API and email service.
The procedure for contacting Ghost Inspector to report security issues is outlined in our security section. Issues must be reported using the appropriate email address and encryption procedure.
If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for reward.
We are happy to thank everyone who submits valid reports which help us improve the security of Ghost Inspector! However, only those that meet the following eligibility requirements may receive a monetary reward:
Any design or implementation issue that is reproducible and substantially affects the security of Ghost Inspector users is likely to be in scope for the program. Common examples include:
Depending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.
Please refrain from accessing private information (use test accounts), performing actions that may negatively affect Ghost Inspector users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. This program was initially implemented on May 26th 2017. Bounties will not be retroactively paid for qualifying issues that may have reported prior to this date.
A big thank you to the following folks for responsibly reporting security concerns to us.
* If you've reached out to us in the past and would like to be listed here, please contact us.