SICK Vulnerability Program

Select ONE reason for your submission:

Request a SICK IDUpdate an existing SICK IDNotify SICK.CODES about a potential vulnerabilityAsk whether a vulnerability is real or notI need help reporting a vulnerabilityRequest help writing a PoC

Select ANY of the following:

I have not received a response from a vulnerability programI believe that the vendor does not have a public BugBounty program on BugCrowd or HackerOneI have attempted to contact the vendor, or will contact them after submissionI cannot contact the vendor, or would like assistance contacting the vendorThe vendor does not consider this a vulnerabilityI do not want my name/alias published with this vulnerability (anonymous report)

Vulnerability details:

Suggested Vulnerability Title (optional)

Vulnerability Type/Weakness (optional)

Vendor Name* [the company/organization who makes the product] (*required)

Product Name* (*required)

Product Version(s) (optional)

Link to Product, PoC, or Project URL (optional)

Suggested vulnerability description (optional)

Your Alias/Team/Name* (*required)

Your Email* [not published!] (*required)

Links to any other collaborators or researchers involved that you wish to credit (optional)

Your Signal, Wire, Telegram, Line, WhatsApp, Viber, or WeChat (optional)

Your website, Twitter, or GitHub URL (optional)

Additional Notes (optional)

PGP Public Key (optional)

By submitting this request you agree to follow responsible disclosure guidelines. An example of responsible disclosure guidelines can be found here: https://github.com/disclose/dioterms.

By submitting this request you agree that SICK.CODES will not publish your research until a known patch or mitigation is published, or 90 days has elapsed since time of discovery.

By submitting this request you permit SICK.CODES to contact the vendor on your behalf, to attempt to resolve the issue. SICK.CODES will email, phone, SMS, @, hashtag, inbox, direct message, or contact partners of the vendor until a response is received. If SICK.CODES cannot contact the vendor for you, SICK.CODES will work with you in authoring a patch to mitigate the vulnerability. This may require getting other responsible Open Source security researchers involved and/or collaborators to help write the patch, as a team, or provide a solution.

Software patches written by SICK.CODES will be released under the exact same license as the parent project, and WITHOUT WARRANTY. If the parent project license is unknown, software patches authored by SICK.CODES or other collaborators will be released under either the GPLv2, the GPLv3+, or MIT license, whichever is most appropriate.

If a vulnerability you have submitted does in fact have a bounty attache to it via its vendor, then we will inform you of that bounty program and can either assist in collaborating a fair bounty by evaluating your research further, or write a proof of concept, which can also be a proof of exploit.

We will fight for your rights as a responsible security researcher to get the most appropriate bounty.

This vulnerability is your own security research. You discovered this.

Therefore, if the vendor has a paid bug bounty, SICK.CODES will take 0% of the bounty.

You will receive 100% of the bounty.

You can donate some back to us if you're feeling generous.

SICK.CODES will credit you in every way possible for your discovery.

I am acting in good faith

SICK.CODES has never received a court order, and is not under any gag order (do not submit if this sentence is missing)