Marvel Bug Bounty Program

Keeping your marvellous prototypes and user information safe and secure is a top priority and a core value for us as a company. As such, We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Marvel users. No technology is perfect, and Marvel believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Reported bugs will be assessed by our security team to determine if they qualify for a reward. Please report a potential security issue immediately. Marvel will consider the impact to the company and to our users and will calculate the reward accordingly. Bug submissions will be reviewed within 30 days. This page is intended for security researchers and professionals. For general information about security at Marvel, please see our main Website https://marvelapp.com/security. If you're having issues related to your individual account, then please visit our Help Center (https://help.marvelapp.com/). Love working on Marvel? Then why not work for Marvel , We’re hiring! https://marvel.workable.com/
Scope
Our Bug Bounty program is limited to security vulnerabilities in Marvel mobile and web applications; do not attempt phishing attacks against our users in any circumstances. Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. Vulnerability testing tools that automatically generate significant volumes of traffic are strictly prohibited. The following sites and applications are in scope for this program:

* marvelapp.com (TLD Only)
* Marvel iOS App
* Marvel Android App

Vulnerabilities reported on other Marvel properties or applications, such as blog.marvelapp.com are currently not eligible for monetary rewards
Non-qualifying vulnerabilities
The following bugs are unlikely to be eligible for a
  • Issues found through automated testing
  • Scanner output or scanner-generated reports
  • CVE Vulnerabilities released within the last 60 days
  • Missing http security headers
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • SSL/TLS best practices
  • Denial of Service attacks
  • Brute Force attacks
  • Lack of Captcha
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Spam including:
  • SPF and DKIM issues
  • Content injection
  • Hyperlink injection in emails
  • Content Spoofing / text injectionIssues relating password and account recovery policies, such as reset link expiration or password complexityFull-Path Disclosure on any propertyClickjacking/UI redressing with no practical security impactCSRF-able actions that do not require authentication (or a session) to exploitReports related to the following security-related headers:
    • * Strict Transport Security (HSTS)
    • * XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • * X-Content-Type-Options
    • * Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • * Bugs that do not represent any security risk
  • * Security bugs related to third-party applications and services used by Marvel
  • * Email signup and verification methods
Social Engineering
Social engineering attacks against our support and security team is strictly prohibited. This will most likely result in your account being closed and no bounty will be awarded.
Disclosure Policy
  • Let us know as soon as possible via security@marvelapp.com upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Thank you for helping keep Marvel and our users safe and secure!