CARD.com's Website Security - Responsible Disclosure Policy

CARD.com's website is based on several layers of software including the operating system, webserver, database, and programming language of the site itself. CARD.com builds our site on top of those layers of software and has a shared responsibility with the developers of those products to keep the software safe.

CARD.com responsible disclosure policy

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

However, there are some limitations and requirements you must follow.

Preferred method: Reporting issues via Bugcrowd

The CARD.com disclosure program is managed through Bugcrowd. To see the terms of the program and participate, go to Bugcrowd and sign up as a tester. You will need to accept the Bugcrowd-CARD.com terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.

Reporting an issue directly to CARD.com

If you prefer not to use Bugcrowd's system, we still welcome your submission but will only respond to valid issues that initiate a configuration or code change. All issue submissions are subject to the scope laid out below.

  • Each issue will be credited to the first individual who reports it
  • We will include your name and if you tell us a link we may include it
  • You must not use automated tools that generate a large number of requests (i.e. more than a normal user browsing the site would experience)
  • We have some known issues which we are not interested in receiving reports about:
    • CSRF on forms that are available to anonymous users (e.g. the contact form)
    • Username enumeration: our feeling is that usernames are only part of a secure login process and we do not consider allowing a brute-force dictionary-style enumeration to be a problem. If usernames are exposed without requiring dictionary-style guessing then we do consider that to be a vulnerability and welcome any reports of such issues.
    • Server software "banner" being displayed - our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.

Thanks to security researchers!

If you follow our responsible disclosure policy in reporting a security bug that materially affects CARD.com's websites or infrastructure (see below for a list of those), we will give you thanks by naming you on this page. In the future we hope to be able to give even more thanks. To report an issue to us send a mail to security AT card.com. If the issue is in upstream software you are also encouraged to use their contact process if they have one.

CARD.com software/hardware infrastructure

Our stack uses:

Some service providers and partner organizations: