Reporting a security breach

At Drillster we take information security extremely seriously and we do all we can to keep our systems secure. But it is always possible that you'll spot a weakness we have overlooked. If you do, please let us know, so that we can do something about it quickly. Reporting problems you come across is known as vulnerability disclosure (also known as coordinated vulnerability disclosure and responsible disclosure).

How to report a problem?

Please email the details to responsible.disclosure@drillster.com.

Include as much information as possible, as it will help us reproduce the problem and correct it. Ideally we would like to have a description of what you discovered, complete with steps to reproduce, IP addresses, logs, screenshots and anything else that might help us.

Please include your contact details (phone number or email address), so that we can get in touch if we need to know more.

Some important points

  • Do not share what you have found with anyone.
  • Destroy any sensitive data you have stumbled upon.
  • Do not go deeper into our systems than needed to in order to show that there is a problem.
  • Do not abuse a vulnerability you have discovered. If you do, we will file a police report.

What you do not need to report

Not every problem is a security breach. We do not consider the following issues a security breach and as a result they do not need to be reported as such.

  • Social engineering exploits
  • Resource exhaustion or (distributed) denial of dervice attacks
  • Physical access testing
  • Exploits that cannot be corroborated using a second tool or method
  • Cosmetic issues (contact us at support@drillster.com)
  • Situations where the problem lies with user (awareness) level, i.e. can be exploited when the workplace is left unprotected, click or keypress combinations
  • Simple fingerprinting or version listings on OS, services or ports
  • Reporting of publicly available files that contain public information
  • Secure/HTTP-only flag missing on cookies containing public information only
  • TLS misconfiguration without a proof of concept to exploit the weakness
  • Incomplete or missing SPF, DKIM or DMARC records
  • Services running at thirdparty service providers (verify their responsible disclosure statement on beforehand)
  • Email addresses found at a third party data breach
  • Publicly disclosed vulnerabilities, patched within the last 2 weeks
  • URL redirection (to a valid webpage)
  • Local content spoofing / clickjacking
  • Registered public IP adresses
  • Public files and information leakage through metadata
  • Missing security headers, options and flags
  • Outdated versions without proof-of-concept or working exploit

Known issues

There may be problems that we are already aware of and that are actively being worked on, or that we recognize as an accepted risk. These problems are not published on the website. Our support team is aware of such issues and will let you know if an issue reported by you falls in this category. In these cases the reported issue may not be treated as a security breach.

What we will do

We will email you within one working day, confirming receipt of your report.

Within five working days, we will respond to the content of your report and tell you when the issue will be resolved. Serious weaknesses are fixed as soon as possible and certainly within three months.

We will keep you updated about our progress with fixing the issue.

We will jointly decide whether or not to publish about your findings. Your name will be mentioned only with your express permission.

Security.txt

🔗 RFC 9116 defines a straightforward mechanism for organizations to publish their vulnerability disclosure policies and contacts details. The protocol involves publication of a file called security.txt on the organization's website, written in a specific human and machine-readable text format. We follow this internet standard ourselves. Our security.txt file is available at: https://www.drillster.com/.well-known/security.txt.

Hall of Fame

The following individuals have contributed to our digital safety by responsibly reporting vulnerabilities. We are extremely grateful for their efforts.

Year Contributor
2025 Gaurang Maheta herrypoter8866@gmail.com

 

Last updated on