We would like to thank the following security researchers who have agreed to be credited on the list below. The researchers listed have privately reported security issues and other vulnerabilities that have affected Twingate products and services.
Please see our Responsible Disclosure Policy for information on how to report an issue with a Twingate product or service.
Twingate’s security team will use their discretion in making decisions as to whether to grant or publish credit for issue reports. Factors we consider are described below.
We will not credit researchers on this list if any of the rules below are not followed, or if we determine that any other unethical, irresponsible, or illegal behavior has occurred. This includes the right to retroactively remove any previously published credit. To be listed, we may require you to sign an attestation that you did not access, or that you deleted any data that you may have obtained from Twingate systems as a result of your security research.
Additionally, reports we do not classify as security issues are not eligible for acknowledgement on this page. These include, without limitation:
- Directory Listings. We make certain content available using directory listings. Please only report these if you find (what can reasonably be assessed as) non-public content being exposed.
- Version Numbers. We do not hide the version numbers of online service components and you should expect these will not be the latest upstream versions.
- Secure Certificate Issues. For example, mismatched host names, expired certificates, HTTP only websites, support for older protocols such as SSLv3, etc.
- Reports from automated tools or scanners without manual verification and analysis.
- Theoretical attacks without proof of exploitability.
- Brute force attacks. For example, on passwords or tokens.
- Attacks involving any user accounts not created by you on any of our online services.
- Attacks involving physical access to a user’s device, or involving a device or network that is already compromised.
- Missing security headers that do not lead directly to a vulnerability.
- Cookies missing secure or HttpOnly flags.
- Bugs that rely on an unlikely user interaction.
- Issues that are the result of a user deliberately performing an insecure action (like sharing their account password).
- Social engineering of Twingate staff or users.
- Third party products. Some third party products and services may integrate with Twingate. If you notify us about security issues about such products or services, we may coordinate fixes with the affected providers and acknowledgements may be given by those providers under their rules.
- Some security issues may be due to underlying vulnerabilities in third party applications that we use. In these cases we may coordinate fixes with the application vendor and acknowledgements maybe given by those vendors.
- We expect you to make a good faith effort to avoid privacy violations, destruction of data, or degradation to our service during your research. Please avoid using tools that are likely to automatically generate significant volumes of traffic or otherwise cause operational problems for our sites.
- 3/2021: Faisal Mehmood
Report an issue and you could appear on this page with our thanks!
Updated 10 months ago