Hall of Thanks Eligibility Guidelines

We're particularly interested in:

  • XSS attacks
  • SQL injection
  • Remote code execution
  • Circumventing permission limitations
  • CSRF attacks

The following issues will not qualify your report for our Hall of Thanks:

  • Spam or social engineering techniques.
  • Denial-of-service attacks.
  • Javascript execution that requires you to convince the victim to paste malicious code in their Silk. By that logic, the web inspector and address bar would be major vulnerabilities too.
  • CSRF on the registration page. This falls under the denial of service category.
  • Clickjacking/UI redressing: while it is our intention to disable iframes on most pages, we currently still allow iframes due to specific requirements of our customers. We’re aware of the issues involved and are working on resolving them in a way that balances security with the needs of our users.
  • Secure flag on cookies, HTTPS on all pages: while it is our intention to move to an HTTPS-only model, we currently need to continue serving pages over HTTP due to specific requirements of our customers. We’re aware of the issues involved and are working on resolving them in a way that balances security with the needs of our users.