Responsible Disclosure Policy
What types of vulnerabilities we are interested in:
- Remote Code Execution
- SQL Injection
- Unrestricted File System Access
- Significant Authentication / Authorization Bypass
- Cross-Site Scripting (excluding self-XSS)
- Cross-Site Request Forgery on critical actions (such as changing username/password)
- Any vulnerability that affects our users/servers
Vulnerabilities we’re not interested in:
- CSRF on forms that are available to anonymous users (e.g. Contact Forms)
- Self-XSS or XSS bugs requiring an unlikely amount of user interaction
- Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Reports of spam, phishing or security best practices
- Email configuration issues (SPF, DKIM, DMARC)
- Weak Captcha / Captcha Bypass
- Forced Login / Logout CSRF
- DDoS/ Dos attacks
- Spreading malware/virus into our network
Responsible Disclosure Guidelines
While we encourage you to report bugs to us we have some rules too. If you don’t follow it you will be disqualified from our responsible disclosure program:
Any Earthlink website
Any website related to Earthlink.
Any mobile app related to EarthLink
If you read our policy and still believe you found something please reach us at:
Hall of Fame
Thank you for helping us to keep our users safe!
Since our responsible disclosure is still an amateur we will not offer monetary rewards (for now). But we will thank you and add your name to our hall of fame here.
We would like to thank the following secuirity researcher(s) that help us to keep our users secure:
Be the first
Report a problem, and be the first in the Hall of Fame.
This field is empty
No problem has been reported on Earthlink sites or applications.