Responsible Disclosure Policy

As everything in this universe, applications contain flaws and vulnerabilities. If you believe you found a security issue in one of our services, please report it to us after reading our responsible disclosure policy.

Qualifying Vulnerabilities

What types of vulnerabilities we are interested in:

  • Remote Code Execution
  • SQL Injection
  • Unrestricted File System Access
  • Significant Authentication / Authorization Bypass
  • Cross-Site Scripting (excluding self-XSS)
  • Cross-Site Request Forgery on critical actions (such as changing username/password)
  • Any vulnerability that affects our users/servers

Non-Qualifying Vulnerabilities

Vulnerabilities we’re not interested in:

  • CSRF on forms that are available to anonymous users (e.g. Contact Forms)
  • Self-XSS or XSS bugs requiring an unlikely amount of user interaction
  • Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Reports of spam, phishing or security best practices
  • Tabnabbing
  • Email configuration issues (SPF, DKIM, DMARC)
  • Weak Captcha / Captcha Bypass
  • Forced Login / Logout CSRF
  • DDoS/ Dos attacks
  • Spreading malware/virus into our network

Responsible Disclosure Guidelines

While we encourage you to report bugs to us we have some rules too. If you don’t follow it you will be disqualified from our responsible disclosure program:

  • Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other 3rd party
    (a gov, company, person).
  • Do not run automated tools on our servers.
  • Vulnerability reports received prior to the responsible disclosure program launch are not eligible for the hall of fame and may not be re-submitted for a recognition.
  • We may terminate this program at any time without notice.
  • Your participation in this program does not create any kind of employment relationship or partnership between you and Earthlink.




Any Earthlink website



Any website related to Earthlink.



Any mobile app related to EarthLink

If you read our policy and still believe you found something please reach us at:

Hall of Fame

Thank you for helping us to keep our users safe!

Since our responsible disclosure is still an amateur we will not offer monetary rewards (for now). But we will thank you and add your name to our hall of fame here.

We would like to thank the following secuirity researcher(s) that help us to keep our users secure:

Bug Hunter

Be the first

Report a problem, and be the first in the Hall of Fame.

Bug Hunter

This field is empty

No problem has been reported on Earthlink sites or applications.

Scroll to top