How can I report a potential security issue?

Jika kamu mengalami masalah keamanan (seseorang mengakses akunmu, atau bentuk penyalahgunaan lainnya), harap hubungi info-id@cookpad.com.

If you believe you have discovered a security vulnerability in a Cookpad service, please read the following:

We do not currently operate a bug bounty program, so while we appreciate your time and effort, no monetary rewards will be made by Cookpad for vulnerability reports.

  • Submit your findings with as much detail as possible via email to security@cookpad.com. We can accept reports in English or Japanese.
    • A successful report will include instructions for reproducing the issue, including proof of concept code where possible, as well as a clearly identified impact.
  • Do not take advantage of the vulnerability or problem you have discovered. Do not view, modify, download, or otherwise interact with Cookpad systems or other user’s data beyond what is necessary to demonstrate the vulnerability. This is critically important. If you’re not sure, please contact us to discuss what you’ve found.
  • The issue is considered confidential until Cookpad authorises publication or discloses. Do not disclose the issue without our acknowledgement and permission to do so.
  • Do not use non-technical attacks, e.g., ones that involve threats to physical security, social engineering, etc.
  • Do not perform distributed denial of service attacks, create spam, or attempt compromise of third-party systems. (If you discover a way in which we are using a third-party tool insecurely, inform us without accessing the tool itself.)
  • Reports from automated scans can result in account suspension or IP bans.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report or pass on your personal details to third parties without your permission.
  • Ideally, a reported vulnerability will be possible without access to a target’s device.
  • We are working to create a fully detailed scope and relevant instructions; however, the following items are considered out of scope:
    • Distributed Denial of Service vulnerabilities (unless someone could use a Cookpad feature to execute such an attack)
    • Policies instead of implementations (e.g., A password length limit is out of scope, an insecure method for checking that limit could be in scope.)
    • Spam, unless an issue allows for easily posting spam
    • Vulnerabilities, if any, in our open-source software should be reported on the repo in question, following that repo’s policies
    • The existence of non-production environments
    • Presence, configuration, or lack thereof of security headers in isolation