File your Self Assessment for less with our early bird price! £85+VAT
00
days
00
Hours
00
Minutes
00
Seconds
Get Filing

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. Learn more

PreferencesAccept

Great! Let's arrange your callback

If you're a current Crunch client please email support@crunch.co.uk

Please enter your first name
Please enter your last name
Please enter your email address
Please enter your phone number

Can’t wait for a callback? Call us now

We aim to answer calls within 30 seconds

Talk to an advisor: +443339202817

9am - 5.30pm Monday - Friday

Yes please, I’d like to hear about offers and services by:

Please enter your name
Schedule my call

By submitting, you agree to our privacy policy

Let's schedule your call

Calls usually take around 10-15 minutes and you’ll have the chance to ask any questions you may have. We’re available from 9am-6:30pm Monday to Thursday and 9am-5:30pm Friday.

When's a good time to call?

Please select an option
Please enter a valid date and time for us to contact you (20 characters maximum)
Please enter your name
Back
Schedule my call

Responsible Disclosure

At Crunch, we take the protection of our customers' data very seriously. We work with top security researchers to continuously challenge and improve our security levels.

We currently do not offer financial rewards for issues reported. We will however do our best to supply some Crunch merchandise or other swag to share our appreciation and of course a position in our hall of fame.

Responsible Disclosure

The disclosure process is there to enable security researchers to identify and flag anything that would impact the confidentiality, integrity, or availability of Crunch’s system or our member's data.

You are a current customer

If you suspect your account has been compromised, please get in touch with us immediately.

Making a responsible disclosure

We encourage you to let us know about the integrity, availability, or confidentiality of our customer data or of Crunch’s systems.

It’s imperative that you follow our guidelines and only work on the areas we’ve highlighted if you want to identify vulnerability as an ethical hacker on our systems.

Rules

Here are the key principles to reporting vulnerabilities to us:

The process

You must comply with all applicable laws and regulations. You must not use an automated tool such as vulnerability/scanning tools (e.g. the Qualys SSL test) which we’re already aware of.

The data

For research purposes, you must create your own account (register for free).

Please do not destroy data or degrade the access to the data (eg. Spam, brute force, Denial of Service etc.) and do not violate any other member’s privacy.

The report

Your report must contain a proof-of-concept or the steps to replicate your findings, with commands/images/video evidence.

Your report must provide a comprehensive business impact assessment of your findings.

This detailed report should only be sent to Crunch by emailing responsible-disclosure

The target

Only the following targets will be considered in-scope:

Non-targets

The following targets are not in scope:

Out of scope

The following issues are not considered in scope:

  • Any physical attempts against Crunch property or data centres.
  • IP/Port Scanning via Crunch services unless you are able to hit private IPs or Crunch servers.
  • Attacks that need physical access to a user's device.
  • Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
  • Vulnerabilities depending on a client system being exploited already.
  • Vulnerabilities impacting users of outdated browsers or platforms.
  • Vulnerabilities involving active content such as web browser add-ons.
  • Ways to know if a given username or email address has a Crunch account.
  • The presence/absence of SPF/DMARC records.
  • Policies around password, email and account, eg. reset link expiration, password complexity.
  • Host header injections that cannot be used to exfiltrate user data.
  • Social engineering of Crunch employees, contractors or customers.
  • Absence of rate limiting.
  • Phishing risk via unicode or right-to-left-override issues.

Hall of Fame

Here is a list of security researchers that contributed to make Crunch better and more secure: