SICK Vulnerability Program

Sick Codes Vulnerability Program for Researchers and Orphaned Reports
Sick Codes Vulnerability Program for Researchers and Orphaned Reports

Welcome to the SICK.CODES software vulnerability and accountability program.

The purpose of the SICK Vulnerability Program is to recognize independent or new researchers, who are otherwise ignored by other programs, or not sure where to start.

Vulnerabilities submitted via this form are not sold. Vulnerabilities submitted below are responsibly publicly disclosed, following industry best-practices.

If your vulnerability requires a CVE ID, we can request a CVE ID on your behalf.

In any case, your vulnerability will be assigned a SICK ID. This helps us, and other organizations, track your vulnerability throughout its lifetime.

We can also help you write a vulnerability report if you are not good at writing in English.

You can encrypt important data below using our PGP key.


    Select ONE reason for your submission:


    Select ANY of the following:

    I have not received a response from a vulnerability programI believe that the vendor does not have a public BugBounty program on BugCrowd or HackerOneI have attempted to contact the vendor, or will contact them after submissionI cannot contact the vendor, or would like assistance contacting the vendorThe vendor does not consider this a vulnerabilityI do not want my name/alias published with this vulnerability (anonymous report)


    Vulnerability details:

    By submitting this request you agree to follow responsible disclosure guidelines. An example of responsible disclosure guidelines can be found here: https://github.com/disclose/dioterms.

    By submitting this request you agree that SICK.CODES will not publish your research until a known patch or mitigation is published, or 90 days has elapsed since time of discovery.

    By submitting this request you permit SICK.CODES to contact the vendor on your behalf, to attempt to resolve the issue. SICK.CODES will email, phone, SMS, @, hashtag, inbox, direct message, or contact partners of the vendor until a response is received. If SICK.CODES cannot contact the vendor for you, SICK.CODES will work with you in authoring a patch to mitigate the vulnerability. This may require getting other responsible Open Source security researchers involved and/or collaborators to help write the patch, as a team, or provide a solution.

    Software patches written by SICK.CODES will be released under the exact same license as the parent project, and WITHOUT WARRANTY. If the parent project license is unknown, software patches authored by SICK.CODES or other collaborators will be released under either the GPLv2, the GPLv3+, or MIT license, whichever is most appropriate.

    If a vulnerability you have submitted does in fact have a bounty attache to it via its vendor, then we will inform you of that bounty program and can either assist in collaborating a fair bounty by evaluating your research further, or write a proof of concept, which can also be a proof of exploit.

    We will fight for your rights as a responsible security researcher to get the most appropriate bounty.

    This vulnerability is your own security research. You discovered this.

    Therefore, if the vendor has a paid bug bounty, SICK.CODES will take 0% of the bounty.

    You will receive 100% of the bounty.

    You can donate some back to us if you're feeling generous.

    SICK.CODES will credit you in every way possible for your discovery.

    I am acting in good faith

    SICK.CODES has never received a court order, and is not under any gag order (do not submit if this sentence is missing)