Bugcrowd

  • $300 – $10,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Update regarding EXIF data in file uploads on submissions

Hi all,

As an FYI, while we appreciate the reports, we ask that you please not submit any findings relating to the presence of EXIF data in image files when using the upload feature on submissions. File attachments on Submissions are often used by hackers to provide specific payload samples to prove that a vulnerability exists. Some of these payloads can be image files which contain EXIF data which may be germane to the vulnerability being discussed.

We intentionally do not redact files attached to submissions, to maximise the ability of hackers to report vulnerabilities to customers.

We receive many duplicates on this issue, which we consider a wont-fix. We acknowledge and accept the risks associated with not stripping metadata from file attachments on Submissions.

Duplicates of this submission will henceforth be marked not-applicable and may be marked out-of-scope at our discretion.

Please also remember that we do not redact files attached to submissions (though we reserve the right to do so in the future). You must ensure that any files you upload using our file attachment feature have identifying or sensitive information about you redacted before attaching them.

Good luck and happy hunting!