Furthermore, you agree and acknowledge that you will not be entitled to any compensation for any vulnerability submissions made through ResponsibleDisclosure.com.
Welcome to The New York Times Responsible Disclosure
Responsible Disclosure Policy
This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.The details within your request form will be submitted to ResponsibleDisclosure.com (operated by an independent third party, Synack). If you have reported an issue determined to be within program scope and to be a valid security issue as described in the Scope and Rules of Engagement, ResponsibleDisclosure.com will validate your finding and you may be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by ResponsibleDisclosure.com through their platform, accordingly you must accept the ResponsibleDisclosure.com terms of service if you wish to proceed. All queries are to be directed to ResponsibleDisclosure.com and managed exclusively through the ResponsibleDisclosure.com online portal.
Responsible Disclosure Guidelines
- accept the ResponsibleDisclosure.com Terms of Service
- work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith
- provide, where applicable , a detailed description and/or a proof-of-concept to assist in reproduction of vulnerabilities
- not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- not engage in social engineering or phishing of customers or employees
- understand the complexities of the review process: Vulnerability adjudication is performed in light of the program scope as well as mitigating factors that may nullify or reduce specific risks to acceptable levels. Decisions are made in a thoughtful manner and are final
You understand and agree that you are not entitled to compensation and you will not request compensation for time and materials or vulnerabilities discovered.
Typical Vulnerabilities Accepted
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
Typical Out of Scope
- Theoretical vulnerabilities
- Weak password requirements
- Methods to bypass the paywall
- Self XSS (user defined payload)
For a full list of program scope please visit the Responsible Disclosure details page.