We recognize the important role that security researchers and our community play in keeping Gumtree and our customers secure. If you believe you've found a vulnerability, we would like to work with you to investigate it as quickly as possible. Please send us as much information as possible to help us better understand the nature and scope of the possible issue.
Responsible disclosure policy
In the event you discover a site or product vulnerability, please notify us using the guidelines below. In order to enable us to review your notification and respond to your report, we will require some time to review. Therefore, we kindly request you to give us reasonable time (being not less than 180 days) to revert before you make any information public regarding the vulnerability and make a good faith effort to avoid destruction of data and interruption or degradation of our service during your research. In the event we believe you are not acting in good faith, we reserve all rights to bring legal proceedings against you or ask law enforcement to investigate you.
Guidelines for responsible disclosure
- Share the site or product vulnerability with us without making it public.
- Report in a manner that safeguards the confidentiality of the report only through the following URL: https://app.zerocopter.com/en/rd/a19ae069-9007-4e85-835d-b52d62911993
- Allow us a reasonable amount of time (depending on the type of vulnerability or issue you report) to respond to the issue before disclosing it to others.
- Provide full details of the site or product vulnerability, including Proof-of-Concept URL, the details of the system where the tests were conducted and detailed reproduction steps.
Once you have provided us with the information as described above, we will investigate the reported matter. As soon as we have a understanding/assessment of the vulnerability, we will determine what type of vulnerability it is.
In case any vulnerability would constitute or lead to a personal data breach, as defined by applicable law, we will notify such personal data breach in accordance with the requirements under applicable law.
Do not engage in security research that involves:
- Potential or actual damage to users, systems, data or applications.
- Exploiting a vulnerability further than necessary to establish its existence.
- Viewing other users’ data
- The corruption of data
- Conducting any activities that may disrupt our services.
- The use of port scans on our network blocks or executing DDoS attacks.
- Violating privacy policies, destroying data, interrupting or otherwise degrading Gumtree systems or the systems of our affiliates during your research.
Reporting a security vulnerability
If you believe you have discovered a site or product vulnerability in a Gumtree hosted website, please send a report with a thorough explanation of the vulnerability via Zerocopter using the link below. https://app.zerocopter.com/en/rd/a19ae069-9007-4e85-835d-b52d62911993
If you are attempting to report spam or abuse, or have any other questions, please contact us using our contact form.
Security vulnerability bounty
To show our appreciation for our security researchers and community, we offer a monetary bounty for reporting certain qualifying security vulnerabilities to us. Here's how it works:
Eligibility
To qualify for a bounty, you must:
- Adhere to our responsible disclosure policy as outlined above;
- Give us a reasonable amount of time (depending on the type of vulnerability or issue you report) to respond to your report before making any information public and make a good faith effort to avoid destruction of data and interruption or degradation of our service during your research;
- Be the first person to report the vulnerability responsibly and fully (including steps to reproduce);
- Report a vulnerability that could compromise the integrity of Gumtree data; and
- Act in good faith.
Our security team will assess each vulnerability to determine if it qualifies.
Rewards
Certain site and product vulnerabilities that are being reported may lead to monetary rewards at Gumtree’s sole discretion.
We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.
We will not negotiate the payout amount in response to duress or threats (e.g. withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
Exclusions
The following security vulnerabilities are NOT eligible for a bounty (and we do not recommend testing for these):
- Denial of Service Vulnerabilities
- Spam, Phishing or Social Engineering techniques
- Brute force password cracking
- Use of outdated software / library versions
- "Advisory" or "Informational" reports that do not include any Gumtree specific testing or context
What can you expect from us?
- You can expect us to respond to your message within 5 business days.
- We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. You may report under a pseudonym or anonymously.
- We will keep you informed of the progress while resolving the issue.
- In the public information concerning the reported problem, we will give your name as the discoverer of the problem (unless you desire otherwise).
- We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.
These Gumtree Security Vulnerability Policies are governed by the laws of New South Wales, Australia.