Terms of City-Data.com's Security Bug Bounty Program
At Advameg, we appreciate the importance of security research. Therefore, we hope to utilize the power of our community to maximize the safety of our systems. In order to maintain the maximum possible level of security, our team appreciates and encourages the responsible disclosure of any security vulnerability that may be found on the City-Data.com website.
If you’re looking for non-security related issue reporting, please visit: www.city-data.com/contacts.html
- Do not access any user's private, non-public information — only work on your own data.
- Do not perform any activity that may cause a degradation of services, such as aggressive scanning or DDOS attacks.
- Do not perform non-technical attacks, including social engineering, phishing or physical attacks against our users, employees or infrastructure.
- Do not publicly disclose a vulnerability.
- The scope of this program includes only the www.city-data.com website (including the Forum).
- A violation of these rules renders a participant’s access unauthorized by Advameg, Inc. under the Computer Fraud and Abuse Act.
- Any questions or concerns? Please contact us!
What does not qualify for a reward in our program?
- Reports that we are unable to reproduce.
- Bugs that only affect legacy browser/plugin versions or bugs that require activities or interactions that a typical user is exceedingly unlikely to perform.
- Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, URL Redirect, Debug information, Mixed Content, most CSRF, Self-XSS, http instead of https, or vulnerabilities that require the victim to take multiple uncommon steps.
- Disclosure of public information or information that in our sole and unfettered discretion does not present a significant risk.
- Bugs that have already been reported to us or bugs/configuration issues that we are otherwise already aware of or are intended functionality.
- Scripting or other automation issues and issues created through the use of brute force attacks.
- DDoS attacks.
- Issues related to software or protocols not under our control.
- Vulnerabilities that require physical access to a user’s browser, device or email address or issues with rooted or jailbroken smartphones.
- Clickjacking and issues only exploitable through clickjacking.
- Reports about missing headers, cookie flags, session fixation, unsolicited messages (including SPF/DMARC/DKIM issues).
- Issues without clearly identified security impact.
How do I report an issue?
Please fill out the form located at: city-data.com/bug-bounty-report.php
We need some time to process all requests, especially those addressing more complicated cases. Please allow a few weeks for analysis.
If we determine that a reported issue is valid and represents a security vulnerability previously unknown to us, we may issue a monetary reward between $250 and $3,000, depending on the severity of the vulnerability. We reserve the right to publish your handle or nickname if we issue a reward.
Residents of countries that are on U.S. sanctions or trade restrictions lists are ineligible to participate in the program. You are required to provide valid contact information and we will require your tax information if the payout is above $600. Any taxes due as a result of participation in the program are the sole responsibility of the participant.
If for any reason you are unable to or do not wish to accept a reward, you may donate it to a recognized charity (subject to approval). In this case, we will double bounty amount.
All award transactions will be completed through PayPal or check.
If you need any further information, please contact us at