Responsible Disclosure Program. Hey Hacker, If you think you found a Bug in my website. Please share that bug with me I want to learn how you found the bug and by that I train my mind to make cyber world and my website more secured with another skill that is Development ;).
For reward I’ll send you Certificate Of Appreciation and Give Hall Of Fame on my website. So please find the bug and report me. Happy Hunting… [#ignore grammar]
- Cookie flags ie. Secure, HTTPOnly.
- Volume related issues ie. Brute-force, rate-limiting, denial of service.
- Email configuration ie. SPF, DKIM, DMARC.
- Error pages ie. verbose error messages, stack traces, invalid status codes.
- Admin or maintenance pages ie. monitoring system login pages, pages with no sensitive information.
- Clickjacking ie. missing X-Frame-Options header.
- CSRF on unauthenticated resources ie. login/logout, pages with anonymous access, non-sensitive information.
- Mobile issues that require root access or unsupported OS versions ie. credentials in Android SharedPreferences.
- Non-sensitive exposed API keys ie. Google Maps, Raygun.
- Absent or misconfigured HTTP headers ie. Content-Security-Policy, Strict-Transport-Security, X-XSS-Protection, Cache-Control.
- Configuration that is not directly exploitable ie. weak TLS ciphers, password policy, session expiration, certificate pinning.