Responsible Disclosure of Security Vulnerabilities
At Crunch, we take the protection of our customers data very seriously. We work with top security researchers to continuously challenge and improve our security levels.
The disclosure process is there to enable security researchers to identify and flag anything that would impact the confidentiality, integrity, or availability of Crunch’s system or our member's data.
You are a current customer
If you suspect your account has been compromised, please get in touch with us immediately.
Making a responsible disclosure
We encourage you to let us know about the integrity, availability, or confidentiality of our customer data or of Crunch’s systems.
It’s imperative that you follow our guidelines and only work on the areas we’ve highlighted if you want to identify vulnerability as an ethical hacker on our systems.
Here are the key principles to reporting vulnerabilities to us:
You must comply with all applicable laws and regulations. You must not use an automated tool such as vulnerability/scanning tools (e.g. the Qualys SSL test) which we’re already aware of.
For research purposes, you must create your own account (register for free).
Please do not destroy data or degrade the access to the data (eg. Spam, brute force, Denial of Service etc.) and do not violate any other member’s privacy.
Your report must contain a proof-of-concept or the steps to replicate your findings, with commands/images/video evidence.
Your report must provide a comprehensive business impact assessment of your findings.
This detailed report should only be sent to Crunch by emailing responsible-disclosure
Only the following targets will be considered in-scope:
The following targets are not in scope:
- Crunch Snap iOS app
- Crunch Snap Android app
Out of scope
The following issues are not considered in scope:
- Any physical attempts against Crunch property or data centers.
- IP/Port Scanning via Crunch services unless you are able to hit private IPs or Crunch servers.
- Attacks that need physical access to a user's device.
- Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
- Vulnerabilities depending on a client system being exploited already.
- Vulnerabilities impacting users of outdated browsers or platforms.
- Vulnerabilities involving active content such as web browser add-ons.
- Ways to know if a given username or email address has a Crunch account.
- The presence/absence of SPF/DMARC records.
- Policies around password, email and account, eg. reset link expiration, password complexity.
- Host header injections that cannot be used to exfiltrate user data.
- Social engineering of Crunch employees, contractors or customers.
- Absence of rate limiting.
- Phishing risk via unicode or right-to-left-override issues.