Responsible Disclosure Policy
The security of users’ data is always our top priority. If you have discovered security vulnerability anywhere in our services, we greatly appreciate your cooperation in disclosing it to us in a responsible manner, following the guidelines set out in this Policy.
We commit to acknowledge, validate, and fix vulnerabilities in the timeliest manner possible. We will not take legal action against or suspend access to our services for any party that has responsibly disclosed vulnerabilities discovered.
We would like to give proper credit to the people who help us improve our services and protect the SiteGround community. If you discover a valid significant vulnerability and report it in accordance with this Policy, we will add your name to our Honor Roll. If you wish to keep your disclosure confidential, just let us know and we would never reveal your identity. In case the same vulnerability is reported by several parties before it is fixed, the acknowledgment will go to the first one to report the issue.
Rules
- If you believe you have found a vulnerability, do not share details about it with any third parties or the general public before it has been fixed;
- You can only conduct testing on accounts that you own or have permission from the owner to test on;
- Do not try to gain control of another user’s account or data;
- SPAM and DDoS attacks are never permitted;
- Do not use automated tools to find vulnerabilities;
- Automated/manual password guessing (also known as "bruteforce attack") against login forms is not permitted;
- Never use non-technical methods such as phishing and/or social engineering against employees or customers of SiteGround;
- Physical attacks against equipment, infrastructure, offices, and/or employees of SiteGround and/or our partners are strictly forbidden.
How to report
Send us an e-mail at responsible-disclosure@siteground.com with the details of the vulnerability you have discovered. Please make sure to include the following:
- As much detail as possible about the nature of the vulnerability so as to allow us to reproduce your steps;
- Your e-mail address;
- Name and a link to your Twitter/Facebook profile as you would like them to appear on this page.
Honor Roll
We are very grateful to the community of users and security researchers who have helped us improve our services and make them more secure. The following individuals and organizations have discovered vulnerabilities and reported them to us in accordance with this Policy:
- Ashley Boxshall
- Garry Bacalso
- Ali Hassan Ghori
- Divakar
- Rodolfo Godalle, Jr.
- Kamil Sevi
- Koutrouss Naddara
- Gineesh George
- Nitin Goplani
- Germán Sánchez Garcés
- Akhil Reni
- FaisaL Ahmed
- S.Venkatesh
- Kalpesh Makwana
- Ajay Singh Negi, Prashant Negi, and Mahipal Singh Rajpurohit
- Mayur Agnihotri
- Milan A Solanki
- Gerasimos Panou
- Shivam Kumar Agarwal
- Ramin Farajpour Cami
- Muhammad Osama
- Amitay Dan
- Markus Alvila
- Maulik Vaidh
- Wai Yan Aung
- Hsu Myat Noe
- Muhammad Waqas
- Andrea Sorrentino
- Pritam Mukherjee
- Antonio Mello
- Chloe Chamberland, Wordfence
- Volodymyr "Bob" Diachenko
- Nicolas Armua
- Tomas Castro Rojas
- So Sakaguchi
- Elmir Imamovic - Workvivo Security Team
- Eugene
- Felipe Restrepo Rodríguez | Security Researcher - Bug Bounter
- Jeroen Gui
- Craig Carr - PostgreSQL pg shadow leak
- Yash Somalkar
- Nadeem Khadim
- Francesco Carlucci