Vulnerability Disclosure Program
Security at Redlimit
We take security seriously. If you discover a vulnerability, we want to hear from you. Report responsibly and help us keep our platform safe.
0
Researchers
<24h
Avg Response Time
0
Bugs Resolved
Safe Harbor
Legal Protection
In Scope
| Target | Type | Severity Range |
|---|---|---|
| hack.redlimit.id | Web Application | Critical - Low |
| API (hack.redlimit.id/api/*) | API | Critical - Low |
Accepted Vulnerability Types
Remote Code Execution (RCE)
SQL Injection
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Insecure Direct Object Reference (IDOR)
Authentication Bypass
Privilege Escalation
Information Disclosure
Cross-Site Request Forgery (CSRF)
Business Logic Errors
Out of Scope
- Denial of Service (DoS/DDoS) attacks
- Social engineering attacks against Redlimit staff
- Physical security attacks
- Attacks on third-party services we use
- Spam or phishing
- Self-XSS that cannot affect other users
- Missing security headers that do not lead to direct exploitation
- Clickjacking on pages with no sensitive actions
- Rate limiting issues on non-critical endpoints
Rules of Engagement
1
Do not access, modify, or delete data that does not belong to you. Create test accounts for testing.
2
Do not perform actions that could impact availability (DoS, mass scanning, brute force at scale).
3
Report vulnerabilities promptly. Do not disclose publicly until we have resolved the issue.
4
Provide detailed reproduction steps and proof of concept. The more detail, the faster we can fix it.
5
Researchers who follow these rules are protected under our Safe Harbor policy. We will not pursue legal action.