CARD.com's Website Security - Responsible Disclosure Policy

CARD.com's website is based on several layers of software including the operating system, webserver, database, and programming language of the site itself. CARD.com builds our site on top of those layers of software and has a shared responsibility with the developers of those products to keep the software safe.

CARD.com responsible disclosure policy

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

However, there are some limitations and requirements you must follow.

Preferred method: Reporting issues via Bugcrowd

The CARD.com disclosure program is managed through Bugcrowd. To see the terms of the program and participate, go to Bugcrowd and sign up as a tester. You will need to accept the Bugcrowd-CARD.com terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.

Reporting an issue directly to CARD.com

If you prefer not to use Bugcrowd's system, we still welcome your submission but will only respond to valid issues that initiate a configuration or code change. All issue submissions are subject to the scope laid out below.

  • Each issue will be credited to the first individual who reports it
  • We will include your name and, if you tell us your Twitter or Github account we will link to a gittip.com profile page for your account. Depending on the quality of your report (especially the clarity, details, and criticality) we may also send you some money on gittip.
  • You must not use automated tools that generate a large number of requests (i.e. more than a normal user browsing the site would experience)
  • We have some known issues which we are not interested in receiving reports about:
    • CSRF on forms that are available to anonymous users (e.g. the contact form)
    • Username enumeration: our feeling is that usernames are only part of a secure login process and we do not consider allowing a brute-force dictionary-style enumeration to be a problem. If usernames are exposed without requiring dictionary-style guessing then we do consider that to be a vulnerability and welcome any reports of such issues.
    • Server software "banner" being displayed - our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.

Thanks to security researchers!

If you follow our responsible disclosure policy in reporting a security bug that materially affects CARD.com's websites or infrastructure (see below for a list of those), we will give you thanks by naming you on this page. In the future we hope to be able to give even more thanks. To report an issue to us send a mail to security AT card.com. If the issue is in upstream software you are also encouraged to use their contact process if they have one.

CARD.com software/hardware infrastructure

Our company relies on:

Some software related to our operations:

Some service providers and partner organizations:

Some specific Drupal modules in use on our site. Note that some of these are in core and others are submodules of what is in use on our site:

  • A/B test (core) (abtest)
  • Administration menu (admin_menu)
  • Administration views (admin_views)
  • Password Reset Landing Page (PRLP) (prlp)
  • Chaos tools (ctools)
  • Context (context)
  • Context UI (context_ui)
  • Block (block)
  • Contextual links (contextual)
  • Database logging (dblog)
  • Field (field)
  • Field SQL storage (field_sql_storage)
  • Field UI (field_ui)
  • File (file)
  • Filter (filter)
  • Image (image)
  • List (list)
  • Locale (locale)
  • Menu (menu)
  • Node (node)
  • Number (number)
  • Options (options)
  • Path (path)
  • System (system)
  • Taxonomy (taxonomy)
  • Text (text)
  • Update manager (update)
  • User (user)
  • Timezone Detect (timezone_detect)
  • Devel (devel)
  • Drupal for Facebook (fb)
  • Blog (refactoring) (card_blog)
  • Card Email DD Form (refactoring) (card_ema
  • cardcontenttypes (cardcontenttypes)
  • cardcontext (cardcontext)
  • Cardlike FAQ (refactoring) (cardlike_faq)
  • Cardlike General (refactoring) (cardlike_g
  • cardlike_campaign (refactoring) (cardlike_
  • Features (features)
  • Entity Reference (entityreference)
  • Field collection (field_collection)
  • Field extract (field_extract)
  • URL (url)
  • Modernizr (modernizr)
  • GMap (gmap)
  • IP-based determination of Country (ip2coun
  • MailChimp (mailchimp)
  • MailChimp Campaigns (mailchimp_campaign)
  • MailChimp Lists (mailchimp_lists)
  • Mandrill (mandrill)
  • HTML5 Tools (html5_tools)
  • Entity Translation (entity_translation)
  • Block languages (i18n_block)
  • Field translation (i18n_field)
  • Internationalization (i18n)
  • Menu translation (i18n_menu)
  • Path translation (i18n_path)
  • String translation (i18n_string)
  • Taxonomy translation (i18n_taxonomy)
  • Translation redirect (i18n_redirect)
  • Translation sets (i18n_translation)
  • Nodequeue (nodequeue)
  • CORS (cors)
  • Diff (diff)
  • Elements (elements)
  • Email Confirm (email_confirm)
  • Email Registration (email_registration)
  • Entity API (entity)
  • Entity tokens (entity_token)
  • Geocoder (geocoder)
  • geoPHP (geophp)
  • Hide submit button (hide_submit)
  • Libraries (libraries)
  • Menu attributes (menu_attributes)
  • Mollom (mollom)
  • Paranoia (paranoia)
  • Pathauto (pathauto)
  • Performance stats (performance_stats)
  • Publish button (publish_button)
  • Redirect (redirect)
  • Redirect 403 to User Login (r4032login)
  • Security Review (security_review)
  • SQL Injection Test (sqlitest) (sqlitest)
  • Stage File Proxy (stage_file_proxy)
  • Strongarm (strongarm)
  • Token (token)
  • User Diff (user_diff)
  • User revision (user_revision)
  • USPS API Integration (usps_api_integration
  • Global Redirect (globalredirect)
  • Redis (redis)
  • Entity cache (entitycache)
  • QueryPath (querypath)
  • Security Kit (seckit)
  • Metatag (metatag)
  • Metatag: Open Graph (metatag_opengraph)
  • Metatag: Twitter Cards (metatag_twitter_ca
  • jQuery Update (jquery_update)
  • Universally Unique ID (uuid)
  • Variable (variable)
  • Views (views)
  • Views Bulk Operations (views_bulk_operatio
  • Views UI (views_ui)
  • Webform (webform)
  • Zendesk Feedback Tab (zendesk_feedbacktab)