Submit bug report: https://www.match.com@match
Our mission is simple: to help singles find the kind of relationship they're looking for.
Policy
Match.com values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.
SLA
Match will make a best effort to meet the following SLAs for participating in our program:
Time to first response (from report submit) - 1 business days
Time to triage (from report submit) - 2 business days
Time to bounty (from triage) - 12 business days
User Data
Please make a good faith effort to not violate anyone else's privacy during your testing. We explicitly request that the following user information not be accessed during testing:
User messages.
User chat logs.
User private answers.
Logging in as users/impersonating users.
Rewards
To show our appreciation of responsible security researchers, Match.com will offer a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
Disclosure Policy
Please let us know as soon as possible upon discovery of a potential security issue.
We'll make reasonable efforts to quickly correct any issue that affects the security of our service.
Match.com and People Media support coordinated responsible disclosure, such that we require review of any potential public disclosures prior to release, including reserving the right to remedy any errors or omissions prior to publication. Once both parties agree upon the factual representation of the issue and its remediation, the publication or post can be made public on a mutually agreed timeline, or after 90 days from confirmation the issue has been resolved, whichever is shorter.
Share with us the full details of any problem found.
Do not intentionally harm the experience or usefulness of the service to others.
Never attempt to view, modify, or damage data belonging to others.
Do not attempt a denial-of-service attack.
Do not perform any research or testing in violation of the law.
Do not perform any research or testing on other users’ data.
Exclusions
The following conditions are out of scope for the security bug program:
Physical attacks against Match.com offices and data centers.
Social engineering of our service desk, employees or contractors.
Issues related to networking protocols or industry standards not controlled by Match.com.
Any vulnerability obtained through the compromise of a Match.com user or employee accounts, if you need to test a vulnerability, create a free account -- don’t take someone else’s.
Any vulnerability found through the use of any mass scanning tool, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Lack of HSTS.
Lack of https (SSL/TLS) on our vanity domains. This lack is currently being remediated.
Thank you for helping keep Match.com and our users safe!
Policy:
https://www.match.com/securityDomains
www.match.comwww4.mobile.match.com
