Vulnerability Disclosure Program (VDP)

We take security seriously at elmah.io. To keep our platform and our customers safe, we invite security researchers and ethical hackers to report vulnerabilities responsibly.

This page outlines our Vulnerability Disclosure Program, what we are interested in, and how to report issues.

Scope

The following domains are in scope:

  • elmah.io
  • app.elmah.io
  • api.elmah.io
  • docs.elmah.io
  • blog.elmah.io

Any other subdomain owned by elmah.io.

Only vulnerabilities in production environments are eligible. Testing on demo environments or staging systems is not supported.

Rules of Engagement

  • Do no harm: Do not exploit vulnerabilities beyond what is necessary to demonstrate them.
  • Respect data: Never access, modify, or delete customer data. Use your own account where possible.
  • Responsible disclosure: Give us a reasonable time to investigate and fix issues before making anything public.
  • No disruption: Do not perform attacks that degrade our service (e.g., DDoS, spam, brute force).

What We're Looking For

We are particularly interested in:

  • Authentication or authorization bypasses
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL/NoSQL injection
  • Server-Side Request Forgery (SSRF)
  • Sensitive data exposure
  • Misconfigurations that could lead to compromise

Reports that are not eligible include:

  • Denial of Service (DoS / DDoS)
  • Vulnerabilities in 3rd party services we use
  • Best-practice suggestions without a clear security impact
  • Missing security headers without an exploit scenario
  • Social engineering, phishing, or physical security attacks
  • Generally, issues produced by automated tools like security headers, etc.

Recognition

We appreciate contributions from the security community. Accepted reports may be rewarded with money or swag, depending on severity, novelty, and impact. Please note that reports of issues that are already known to us, are duplicates of previously submitted reports, or are otherwise not accepted, will not be eligible for a reward.

Communication & Conduct

We value respectful and professional communication. Most security researchers we work with follow responsible disclosure practices, but unfortunately, we have also experienced cases of hostile or threatening behavior.

To be clear:

  • Threats are not tolerated, including threats of disclosing vulnerabilities on the dark web, public forums, or elsewhere if certain demands are not met.
  • Respectful communication is required. We are here to collaborate, not to negotiate under pressure.
  • Immediate blocking if an email contains threats, aggressive language, or blackmail, the sender will be instantly blocked, and no further reports from that individual will be considered.

We are committed to working with researchers in good faith and expect the same in return.

How to Report

Please send reports to [email protected] with the following details:

  • A clear description of the vulnerability.
  • Steps to reproduce, including code snippets or screenshots.
  • The potential impact if exploited.
  • Your contact information.

We aim to respond to initial reports within 72 hours.


This article was brought to you by the elmah.io team. elmah.io is the best error management system for .NET web applications. We monitor your website, alert you when errors start happening, and help you fix errors fast.

See how we can help you monitor your website for crashes Monitor your website