At Crunch, we take the protection of our customers' data very seriously. We work with top security researchers to continuously challenge and improve our security levels.
We currently do not offer financial rewards for issues reported. We will however do our best to supply some Crunch merchandise or other swag to share our appreciation and of course a position in our hall of fame.
The disclosure process is there to enable security researchers to identify and flag anything that would impact the confidentiality, integrity, or availability of Crunch’s system or our member's data.
You are a current customer
If you suspect your account has been compromised, please get in touch with us immediately.
Making a responsible disclosure
We encourage you to let us know about the integrity, availability, or confidentiality of our customer data or of Crunch’s systems.
It’s imperative that you follow our guidelines and only work on the areas we’ve highlighted if you want to identify vulnerability as an ethical hacker on our systems.
Here are the key principles to reporting vulnerabilities to us:
You must comply with all applicable laws and regulations. You must not use an automated tool such as vulnerability/scanning tools (e.g. the Qualys SSL test) which we’re already aware of.
For research purposes, you must create your own account (register for free).
Please do not destroy data or degrade the access to the data (eg. Spam, brute force, Denial of Service etc.) and do not violate any other member’s privacy.
Your report must contain a proof-of-concept or the steps to replicate your findings, with commands/images/video evidence.
Your report must provide a comprehensive business impact assessment of your findings.
This detailed report should only be sent to Crunch by emailing responsible-disclosure
Only the following targets will be considered in-scope:
- www.crunch.co.uk Please note: As the website is driven via a popular CMS we have limited access to evolve. We will only accept submissions for this URL when they coincide with the process of an account being set up. Any other links to this URL will be deemed outside the scope.
As an example, the following would be considered in scope:
The following targets are not in scope:
- Crunch Snap iOS app
- Crunch Snap Android app
Out of scope
The following issues are not considered in scope:
- Any physical attempts against Crunch property or data centres.
- IP/Port Scanning via Crunch services unless you are able to hit private IPs or Crunch servers.
- Attacks that need physical access to a user's device.
- Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
- Vulnerabilities depending on a client system being exploited already.
- Vulnerabilities impacting users of outdated browsers or platforms.
- Vulnerabilities involving active content such as web browser add-ons.
- Ways to know if a given username or email address has a Crunch account.
- The presence/absence of SPF/DMARC records.
- Policies around password, email and account, eg. reset link expiration, password complexity.
- Host header injections that cannot be used to exfiltrate user data.
- Social engineering of Crunch employees, contractors or customers.
- Absence of rate limiting.
- Phishing risk via unicode or right-to-left-override issues.
Hall of Fame
Here is a list of security researchers that contributed to make Crunch better and more secure:
- Areeb Jamal
- Muhammad Adnankhan Pathan
- Sathish K
- Kokalagi Rushikesh
- Min Won
- Fika Februarinto(@Pikpikcu)
- Zax Asif
- Foysal Ahmed
- Parag Bagul
- Eusebiu Daniel Blindu
- Roneil Bordallo
- Opinder Singh
- Abhijith A
- Nikhil Rane
- Satyam Singh
- Mohd Farzaan
- Abdelrhman Allam
- Aakash Tayal
- Vinay Sati
- Shubham Choudhery
- Nilesh Agrawal Koyo
- Taseer Hussain
- Nik Ran
- Durvesh Kolhe