Disclosure Policy

Disclosure Policy

Capture The Bug (“CTB”) believes that the coordinated, orderly, public disclosure of vulnerabilities is a crucial aspect of the vulnerability disclosure process. This policy applies to all submissions made through the CTB platform, including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable, and Won’t Fix submissions. Program Owners and researchers are encouraged to work together to share information in a mutually agreed manner.

Vulnerability Disclosure Policy for CTB

CTB believes that the coordinated, orderly, public disclosure of vulnerabilities is a crucial aspect of the vulnerability disclosure process. This policy applies to all submissions made through the CTB platform, including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable, and Won’t Fix submissions. Program Owners and researchers are encouraged to work together to share information in a mutually agreed manner.

Coordinated Disclosure

Coordinated Disclosure is the recommended policy for all new public programs and is optional for ongoing private bounty programs. In this model, Program Owners commit to allowing researchers to publish mutually agreed information about the vulnerability after it has been fixed. Program Owners require explicit permission to disclose in the submission record. This applies to all submissions for the program, regardless of validity or acceptance.

In the principle of CTB’s Coordinated Disclosure, researchers can externally disclose limited or full disclosures approved by Program Owners. CTB’s Coordinated Disclosure allows Program Owners and Researchers to work through the disclosure process, during which all parties must agree on a date and the disclosure level (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on CTB’s platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed type of disclosure – limited or full, and any other parameters agreed for the disclosure.

When you disclose a submission publicly, your username will be shown on the CTB platform.

Non-Disclosure

Non-Disclosure is the default policy for CTB’s Next Generation Penetration Testing. It is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy, the expectation of the Researcher and the Program Owner is non-disclosure. This is documented in our Researcher terms and conditions and Code of Ethics.

This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:

“Disclosure – Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.”

Custom Disclosure

In some cases, CTB customers customize disclosure requirements in their Program Guide

Program Disclosure

The existence or details of private programs must not be communicated to anyone who is not a CTB employee or an authorized employee of the organization responsible for the program.

If there is a conflict between the disclosure terms listed on a Program’s brief and the CTB’s Researcher Terms and Conditions, the Program Brief supersedes the CTB’s terms. If you have any questions, send an email to [email protected]

Accidental Disclosure: Insecure POC video sharing

It is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (e.g., YouTube, Imgur, etc.).