We’re concerned about the security of our site for ourselves, our models, and our customers.
If you discover an exploit or vulnerability in abbywinters.com or a related non-WordPress site, or one of our internal applications, we encourage you to let us know right away. We will investigate all reasonable reports, and do our best to quickly fix the problem.
Responsible Disclosure Policy
Taking a cue from Google and other large tech companies, we have a simple “Responsible Disclosure Policy”, which must be observed when reporting an exploit or vulnerability. If you follow these points, we won’t get our lawyers involved.
- You give us reasonable time to investigate, before making your findings public
- You do not use the exploit to take unauthorised information or media from us
- You make reasonable efforts to ensure private information is not distributed
- You do not exploit a vulnerability for any reason
- You do not violate any laws in your jurisdiction
Bounties
We may, at our discretion, pay Bounties (cash payments) to people who meet our Responsible Disclosure Policy. The amount of the Bounty will be determined by the size of the impact and the significance of the risk we assess the discovered issue to be. For example;
- You find a flaw in a WordPress installation we administer, that’s fixed in the next WordPress update. You let us know about that. We have a regular program to update WordPress instances, they are known to be “buggy” in general. This is a small, low-impact, low-risk scenario, so we’re unlikely to pay a bounty for this.
- You find a security misconfiguration that exposes unencrypted admin credentials on one of our Production web applications. This is a larger issue, it’s higher risk, and has a large impact if exploited. We’d be likely pay a larger cash bounty, between US$500 and US$1500.
Amounts we pay for bounties are calculated at our discretion only.
If we receive multiple reports of the same issue, we assess on a “first in, best dressed” policy. Issues we’re already aware of likely will not pay a bounty.
Taking a lead from Facebook, if you provide proof of donation of the bounty fee we pay you to a recognised charity, we will match that donation to that charity.
If you wish, we will publish your name on this page, as recognition of your efforts (However, to date, no one has wished for that. :()
We typically get a few items reported a month, and roughly one every two months receive payments between $25 and $150. For minor items, we offer a free website subscription.
Reporting a vulnerability
Email garion.hall@abbywinters.com with the subject “Reporting a vulnerability”.