On behalf of Pango, we would like to thank the following individuals, companies, and/or organizations who have agreed to be credited on this list.
The researchers that comprise this list have privately reported security issues and other vulnerabilities that have affected Pango-owned websites or products, including any other online services owned by Pango.
How to report an issue
To report an issue with any Pango website or product, including any other online services owned by Pango, please contact [email protected] . The Pango Security team will use their full discretion to make the final decision for granting, refusing, and/or publishing these credits — including their form and content — by applying the rules below.
Additionally, please allow a reasonable response time (usually between 3-7 business days) after submitting your report for a security operations team member to respond to your email.
Mail sent to [email protected] can be encrypted with the PGP key: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x8726B5241423D0EB
Rules and regulations
We will refuse to credit researchers on this list if any of the rules listed below are breached, or if we determine any other unethical, irresponsible, or illegal behavior, or any combination thereof. This includes the right to retroactively remove any previously published credit.
Additionally, reports we do not classify as security issues are not eligible for acknowledgement on this page. These instances include, but are not limited to:
- Directory Listings. We make certain content available using directory listings. Please only report these if you find (what can reasonably be assessed as) non-public content being exposed
- Version Numbers. We do not hide the version numbers of online service components and you should expect these will not be the latest upstream versions.
- Secure Certificate Issues (mismatched host names, expired certificates, HTTP only websites, support for older protocols such as SSLv3, etc.)
- Reports from automated tools or scanners without manual verification and analysis
- Theoretical attacks without proof of exploitability
- Brute force attacks (e.g. on passwords or tokens)
- Attacks involving any user accounts not created by you on any of our online services
- Attacks involving physical access to a user’s device, or involving a device or network that is already compromised
- Missing security headers that do not lead directly to a vulnerability
- Cookies missing secure or HttpOnly flags
- Bugs that rely on an unlikely user interaction
- Issues that are the result of a user deliberately performing an insecure action (like sharing their account password)
- Social engineering of Pango staff or users
- Some Pango powered services are provided by third parties. If you notify us about security issues on such sites or products, we will coordinate fixes with the affected vendors and acknowledgements maybe given by those vendors or under their rules.
- Some security issues may be due to underlying vulnerabilities in third-party applications that we use. In these cases we will coordinate fixes with the application vendor and acknowledgements maybe given by those vendors
- We expect you to make a good-faith effort to avoid privacy violations, destruction of data, or degradation to our service during your research. Please avoid using tools that are likely to automatically generate significant volumes of traffic or otherwise cause operational problems for our sites.
Acknowledgements (listed by year and by product):
- Paulos Yibelo (twitter.com/paulosyibelo) and File Descriptor [3 flaws]
- Kushal Arvind Shah of Fortinet’s FortiGuard Labs
- Sébastien Kaul
- Hassan Ahmed Khan (facebook.com/profile.php?id=100004793059302) and 2 Flaws
- Rob Salmond (https://twitter.com/phro)
- Tom Jeff