Responsible Disclosure

At Crunch, we take the protection of our customers' data very seriously. We work with top security researchers to continuously challenge and improve our security levels.

We currently do not offer financial rewards for issues reported. We will however do our best to supply some Crunch merchandise or other swag to share our appreciation and of course a position in our hall of fame.

Responsible Disclosure

The disclosure process is there to enable security researchers to identify and flag anything that would impact the confidentiality, integrity, or availability of Crunch’s system or our member's data.

You are a current customer

If you suspect your account has been compromised, please get in touch with us immediately.

Making a responsible disclosure

We encourage you to let us know about the integrity, availability, or confidentiality of our customer data or of Crunch’s systems.

It’s imperative that you follow our guidelines and only work on the areas we’ve highlighted if you want to identify vulnerability as an ethical hacker on our systems.

Rules

Here are the key principles to reporting vulnerabilities to us:

The process

You must comply with all applicable laws and regulations. You must not use an automated tool such as vulnerability/scanning tools (e.g. the Qualys SSL test) which we’re already aware of.

The data

For research purposes, you must create your own account (register for free).

Please do not destroy data or degrade the access to the data (eg. Spam, brute force, Denial of Service etc.) and do not violate any other member’s privacy.

The report

Your report must contain a proof-of-concept or the steps to replicate your findings, with commands/images/video evidence.

Your report must provide a comprehensive business impact assessment of your findings.

This detailed report should only be sent to Crunch by emailing responsible-disclosure

The target

Only the following targets will be considered in-scope:

accounts.crunch.co.uk
my.crunch.co.uk
api.crunch.co.uk
oauth.crunch.co.uk
public-api.crunch.co.uk
developer.crunch.co.uk‍
Crunch Accounting iOS app
Crunch Accounting Android app
www.crunch.co.uk Please note: As the website is driven via a popular CMS we have limited access to evolve. We will only accept submissions for this URL when they coincide with the process of an account being set up. Any other links to this URL will be deemed outside the scope.
‍
As an example, the following would be considered in scope:
- https://www.crunch.co.uk/signup?referrer=ltd-pro-with-year-end#basic-info
- https://www.crunch.co.uk/signup?referrer=ltd-premium#basic-info
  ‍

Non-targets

The following targets are not in scope:

crunchformations.co.uk
community.crunch.co.uk
Crunch Snap iOS app
Crunch Snap Android app
roadmap.crunch.co.uk

Out of scope

The following issues are not considered in scope:

Any physical attempts against Crunch property or data centres.
IP/Port Scanning via Crunch services unless you are able to hit private IPs or Crunch servers.
Attacks that need physical access to a user's device.
Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
Vulnerabilities depending on a client system being exploited already.
Vulnerabilities impacting users of outdated browsers or platforms.
Vulnerabilities involving active content such as web browser add-ons.
Ways to know if a given username or email address has a Crunch account.
The presence/absence of SPF/DMARC records.
Policies around password, email and account, eg. reset link expiration, password complexity.
Host header injections that cannot be used to exfiltrate user data.
Social engineering of Crunch employees, contractors or customers.
Absence of rate limiting.
Phishing risk via unicode or right-to-left-override issues.

Hall of Fame

Here is a list of security researchers that contributed to make Crunch better and more secure: