Reporting an issue

We know how much work goes in to pen testing! To avoid frustration, you can check out these common non-vulnerabilities that don't qualify for rewards.

Got a valid issue? Awesome! Please include:

• A summary of the problem
• A severity rating of 1 - 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
• A PoC or breakdown of how to replicate the issue
• The operating system name and version as well as the web browsers name and version that you used to replicate the issue

GPG Encryption

If you plan to provide access tokens, secure cookies or sensitive data as an example, we kindly ask you GPG encrypt your email. Here is our public GPG key.

Rewards

We're eternally grateful for all of those who put in hard work to identify weaknesses within Buffer. For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.

Acknowledgements

We appreciate the work that goes into finding and disclosing security flaws in Buffer and would like to thank the following individuals and organizations:

• Sakurity - Security Consulting

We've been working closely with Egor and his team at Sakurity to identify key weaknesses within our app. They've continuously proven to be experts in identifying OAuth weaknesses. They have helped us identify and resolve potential security holes such as account hijacking, access token leaks, XSS and CSRF exploits.

• Aloïs Thévenot
• Harsha Boppana
• Jayson Zabate
• Scott Arciszewski & Taylor Hornby
• Akhilreni
• Manish Bhattacharya
• Jayvardhan Singh
• Ali Hassan Ghori
• Muhammad Talha Khan
• Parichay Rai
• Sumit Saini & Jeet Jaiswal
• Kamil Sevi
• Manjesh S
• Osanda Malith Jayathissa
• Nakul Mohan
• Lynx
• Jerold Camacho
• Mahmoud El-Said El-Naggar
• Siddhesh Gawde
• Sai Kiran
• Evan Ricafort
• WEB PLUS
• Dushyant Sahu
• Gopinath Madurai
• Abdullah Hussam Gazi
• Aditya Agrawal
• Rodolfo Godalle, Jr
• Ch. Muhammad Osama
• Karthickumar Ramanathapuram
• Sunil Dadhich
• Sachin Wagh
• Osama Mahmood
• Mohamed A. Baset
• Bhaskar Borman
• Faisal Ahmed
• Manish Bhandarkar
• Germán Sánchez Garcés
• Shahmeer Amir
• Mohammed Fayez Albanna
• Alonso Torres Cerdas
• Abhiram
• Huzaifa Jawaid
• Mazen Gamal Mesbah
• Shikhil Sharma
• Prayas Kulshrestha
• Ajay Singh Negi
• Prashant Negi
• Mahipal Singh Rajpurohit
• Narendra Bhati
• Hardik Tailor
• Amit Gandhi
• Yakup Yavaş
• Ranjeet Singh
• Abhibandu Kafle
• Abdul Haq Khokhar
• Madhu Akula
• KoF2002 & Sr33h4r
• Mygapu Vandana
• MD MIHIR MISTRY
• Apoorv Joshi
• Satheesh Raj
• Robert Villalon
• Frans Rosén
• Vance Lucas
• Ashesh Kumar
• Sangeetha Rajesh S
• Kiran Karnad
• Ali Kabeel
• Shivam Kumar Agarwal, Nithish Varghese and Sahil Srivastava
• Abdul Rehman
• M.Asim Shahzad
• Koutrouss Naddara
• Hammad Mahmood
• Yash Pandya
• Ryan Sorensen
• Ala Arfaoui
• Raghav Bisht
• Ahmed Y. Elmogy
• Sumit Sahoo
• David Dworken
• Roman Khafizianov
• C. Vishnu Vardhan Reddy
• Sane Sindhuja Reddy
• Waqeeh Ul Hasan
• SaifAllah benMassaoud
• Adam Enger
• Waqar Vicky
• Nadi Abdellah
• Malik Nouman
• Shawar Khan
• Pratap Chandra
• Karim Rahal
• Othmane Tamagart aka 0thm4n@WhiteHatSecurity
• Mikael Byström
• Hammad Qureshi
• Yogesh Modi
• Arbin Godar
• Mohammed Abd Elmageed Eldeeb
• Kunal Arora
• Harish Kumar V
• Mansoor Gilal
• Atik Rahman
• Vladimir Jirasek
• Ajay Kulal
• Swapneil Dash
• Dipak kumar Das (Instasafe Technology)
• Yogendra Jaiswal
• Jon Bottarini
• Bikash Paudel
• Jolan Saluria
• Sreedeep Ck Alavil
• Ace Candelario
• Amal Jacob
• Memon Faisal
• Sreejith Sreenivas AS
• Laishaj BM
• Md Nur A Alam Dipu
• Thrivikram Gujarathi
• Youssef ABYAA
• Oliver Fish
• Ismail Tasdelen
• Ari Apridana
• Aman Shahid
• Christopher Dait