Vulnerability Disclosure Policy

We take security seriously at Translated, and we’re committed to protecting our stakeholder's data and privacy as the business continuity as well. If you are a security researcher or expert and believe you’ve identified security-related issues with Translated and Matecat website or apps, we would appreciate you disclosing it to us responsibly.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy.

Translated reserves all legal rights in the event of noncompliance with this policy.

Program Eligibility

To be eligible to participate in our Bug Bounty Program, you must:

  • Not be a resident of, or make Submissions from, a country against which the EU has issued export sanctions or other trade restrictions.
  • Not be excluded by the program for past unfair behaviours

If you

  • do not meet the eligibility requirements above;
  • breach any of these Program Terms or any other agreements you have with Translated;
  • or we determine that your participation in the Bug Bounty Program could adversely one of our stakeholders or the business continuity.

We, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.

Disclosure policy

Any data you receive, obtain access to or collect about Translated or any Translated stakeholder is considered Translated’s confidential information ("Confidential Information").

Confidential Information must be kept confidential and only used to provide Translated information in relation to the submitted report.

No further use or exploitation of Confidential Information is allowed. You will permanently erase all Confidential Information for any systems and devices after (rewarded or not) th of the submission of the report.

You may not use, or disclose the information related to the report, without our prior explicit consent.

Please note, not all requests for public disclosure will be approved.

Any unauthorized public disclosure will result in a program ban and, obviously, in not eligible for any reward.

Please review HackerOne's disclosure guidelines for general best practices. For any reports submitted to Translated, this policy supersedes any conflicting HackerOne policies.

How to submit a report

The only intake point for new reports is this form

Reports from different channels will be not handled and will be discarded.

Triage

Let us know as soon as possible upon discovery of a potential security issue. All the reports submitted will be triaged within 90 working days from the date of submission.

Please, do not solicit responses or updates before this timeframe expires.

Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own.

Let us identify you

Please include a header

X-EthicalHacker: < your_email >

when you test so we can identify your requests easily.

If you create a customer account for your test, please, use Ethical as your first name and Hacker as your last name, and provide your email address


Scope

The scope of issues is limited to technical vulnerabilities in the following applications:

  • translated.com website
  • translated.net/hts
  • translated.com/top
  • os.translated.com

  • matecat.com
  • matesub.com
  • modernmt.com website
  • api.modernmt.com

Reports eligible for evaluation are:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) if leading to account takeover. Excluded that with minimal security implications (Logout CSRF, etc.)
  • Server Side Request Forgery (SSRF) able to pivot to internal application and/or access credentials Remote Code Execution (RCE), the ability to execute arbitrary commands on a remote system. The only commands allowed are ifconfig, hostname, whoami, touch /root/< hacker_email >.proof.txt.
  • Privilege Escalation ( a non-admin user escalates admin privileges). In this case the report must contain the sequence needed to reproduce the escalation
  • Information Disclosure - massive Personal information leaks including data such as names, emails, phone numbers, and addresses

All the reports must contain a step-by-step description of how the test has been conducted (and, hence, how to reproduce it) and the result (i.e. screenshots, screencast, contact list, etc…).

Out of scope

The following domains are not eligible for bounty

  • *.translated.cloud

All the reports related to the following topics are out of scope (even if conducted on in-scope domains)

  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Ability to take over social media pages (Twitter, Facebook, Linkedin, etc)
  • Unchained open redirects
  • Reports of out-of-date/vulnerable software without a proof-of-concept
  • Highly speculative reports about theoretical damage
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
  • CSV injection
  • Best practices concerns
  • Protocol mismatch
  • Rate limiting
  • Exposed login panels
  • Dangling IPs
  • Vulnerabilities that cannot be used to exploit other users -- e.g. self-xss or having a user paste JavaScript into the browser console
  • Content injection issues
  • Missing cookie flags on non-authentication cookies
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Reports that affect only outdated user agents -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge
  • Issues that require physical access to a victim’s computer/device
  • Stack traces
  • Path disclosure
  • Directory listings
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • If a site is abiding by the privacy policy, there is no vulnerability.
  • Distributed denial of service attacks (DDOS)
  • We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect.
  • Any contact or support forms
  • Missing or incorrect SPF or DMARC records of any kind

Rules

Please do:

  • respect privacy & make a good faith effort not to access, process, or destroy personal data
  • be patient and provide us with clarifications to any questions we may have about your report
  • be respectful and kind when interacting with our team, and our team will do the same
  • use accounts that are your own. We expect your report to clearly reference your email address
  • when testing put all your effort into avoiding negative impact on data and, in general, business continuity
  • if you are unsure, please, stop. If you think you may cause, or have caused, damage by testing a vulnerability, report your initial finding(s) and request authorization to continue testing

Please DON’T

  • do not brute force credentials or guess credentials to gain access to systems
  • do not participate in denial of service or spam attacks
  • do not use vulnerability testing tools that generate a significant volume of traffic
  • do not upload shells or create a backdoor of any kind
  • do not publicly disclose a Vulnerability without our explicit review and consent
  • do not engage in any form of social engineering of our employees, customers, or partners
  • do not attempt to extract, download, or otherwise exfiltrate data other than your own
  • do not change passwords of (and, in general, do not interact with) any account that is not yours. If ever prompted to change a password of an account you did not register yourself, stop and report the finding immediately
  • do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.

Rewards

All reports submitted in accordance with the rules and scope outlined above and that result in a change of code or configuration are eligible for bounties, ranging from $100 to $1000, depending on the severity of the issue.

We may pay higher rewards for unusually clever or severe vulnerabilities or pay lower rewards for vulnerabilities that require unusual user interaction.

We may also decide a single report actually constitutes multiple bugs or that multiple reports are so closely related that they only warrant a single reward.

You trust the Translated team when the report is rejected because it constitutes an already reported issue. Translated will be not obliged to provide any proof in these cases.

Translated rewards bug bounty hunters on a first-come, first-served basis - the first comprehensive report for the same bug will be awarded any bounty. You trust that Translated will act in a fair way in managing the queue.

The amount of the reward is totally up to the Translated team and is not negotiable in any way.

Legal

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan, Syria, Russia) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

By making a Submission, you give us the right to use your Submission for any purpose.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Translated rewards bug bounty hunters on a first come, first served basis so if you find a vulnerability that has just been reported we will not reward you.

Modifications

Please check this site regularly as we routinely update our program terms and eligibility. Modifications are effective upon posting.

Get in touch

Our team is ready to find a solution to your translation needs.

Get in touch