Medium has a program for responsible disclosure of security vulnerabilites. Its rules and details are covered here: Bug Bounty Disclosure Program. Below is the list of issues and categories that do not qualify for the Bounty Program.
Please note that even though some of these issues might be highly relevant in other contexts, in the context of Medium we had determined that they don’t pose as great of a risk. If you think we’re mistaken, please reach out.
- Login/logout CSRF.
- CSRF configuration issue without exploitable proof of concept. A CSRF proof of concept case that requires Burp or a networking proxy is not valid or sufficient.
- Missing security headers which do not lead directly to a vulnerability.
- Vulnerabilities in third party components in use at Medium, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact Medium’s configuration.
- Bugs that require unlikely user interaction or phishing. This includes issues commonly known as clickjacking or UI redress attack.
- Newly acquired companies are subject to a blackout period to allow us to review and get everything up to speed. Acquisitions coming out of the blackout period will be added to the scoping list once they are in-scope. Bugs reported sooner than that will typically not qualify for a reward.
- Rate Limit on emails sent during sign-up, sign-in, and change email confirmations.
- Previous email login links not invalidated in the event multiple login links are requested. All links expire in 2 hours.
- Not signed out of Android native app when signing out of all other sessions from the web. We provide a read-only experience to the user, and prevent the ability to post, recommend, respond, highlight, and access to drafts, bookmarks, history and settings.
- Using an email spoofing tool to send an email spoofed as sent from a medium.com domain (ex. email@example.com) sends an email but is marked as Spam, as opposed to the email not being sent at all.
- Logging-in to medium.com in several browsers/tabs, or logging-in and logging-out repeatedly, thereby creating a large number of user sessions.
- Defeating the paywall by clearing cookies, private browsing, or otherwise creating new user sessions.
- Using URLs with look-alike Unicode symbols in them also known as homograph attacks.
- Redux DevTools in production. We’re aware that it is possible to use Redux DevTools on Medium pages in production. We absolutely do not expose any private data through our Redux state and as such we do not see it as a risk. However, if you notice any data exposed that shouldn’t be there do not hesitate to reach out.