Author Topic: Realtor Bug Bounty  (Read 724 times)


  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Realtor Bug Bounty
« on: May 16, 2023, 06:16:44 pm »
submit bug report:

Move looks forward to working with the security community in an effort to keep our businesses and customers safe.  If you are a security researcher and have identified a suspected security vulnerability in one of our properties, we appreciate your help in disclosing it to us in a coordinated and responsible manner.  If you report a valid security vulnerability in compliance with this Responsible Disclosure Policy (“Policy”), Move will endeavor to collaborate with you to understand, validate and resolve the issue.

The intent of this program is to encourage coordinated and responsible disclosure.  Unless required by law or law enforcement authorities, Move does not intend to initiate a lawsuit or law enforcement investigation against a security researcher who discovers and reports a security vulnerability in compliance with this Policy.  Move reserves all legal rights in the event of any noncompliance. If your security research involves the networks, systems, information, applications, products, or services of another party, including a third-party application that is integrated with Move property, that third party may determine whether to pursue legal action. We cannot and do not authorize security research involving other entities.

Your participation in this program is voluntary and subject to the terms and conditions set forth in this Policy.  By submitting reports or otherwise participating in this program, you agree that you have read and will follow this Policy.

Move reserves the right to change or modify the terms of this program or terminate this program at any time.

Please submit your findings to [email protected].


This policy applies to the Move family of websites, and mobile apps, and mobile-optimized websites.

The following domains (and their subdomains) are considered Move family of websites:


Any domains not expressly listed above, are excluded from scope and are not authorized for testing.

Program Rules

As with most security disclosure programs, there are some restrictions:

Disclosure procedure and confidentiality:

Vulnerabilities must be disclosed to us privately with a reasonable time to respond. We will seek to respond quickly to your report.  You are not permitted to disclose a vulnerability or otherwise share details about a vulnerability with a third party prior to resolution without Move’s express written permission.

You must include detailed information with reproducible steps. We request that researchers provide sufficient technical details and background necessary for us to identify and validate reported issues.

We will not publicly disclose the identity of any researcher without consent, except where required by law.

As a condition of participation in this program, you waive any rights to the confidentiality of the submitted work and, further, grant Move an irrevocable, worldwide, royalty-free, perpetual transferable, sub-licensable license to use the submitted research, as well as any materials submitted therewith, for any purpose, and waive claims against Move based on Move’s license or the rights granted herein.


Security testing requirements:

You must abide by the program scope.

You must comply with all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

You must securely delete Move information that may have been downloaded, cached, or otherwise stored on systems used to perform the research.

You may only use or interact with your own accounts for testing purposes. Do not attempt to compromise or otherwise gain access to an account you do not own.



Do not exploit a vulnerability you discovered for malicious purposes.

You are prohibited from engaging in any activity that would be disruptive, damaging or harmful to Move, its businesses or its customers. This includes, without limitation:

social engineering techniques (e.g., phishing);

posting, transmitting, uploading, linking to, sending, or storing any malicious software

testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages

Denial of Service (DoS) and Distributed Denial of Service (DDoS)-based attacks.

You are prohibited from engaging in any privacy violations, trading stolen user credentials, or destroying data. 

You may not access data except to the extent minimally necessary to identify a vulnerability, and use of such data must be limited to that which is necessary to identify and report the vulnerability. You are prohibited from compromising data that is not your own.

You are prohibited from engaging in any activity that results in you or any third party accessing, acquiring, altering, copying, storing, sharing, transferring, deleting or otherwise processing customer or employee personal information, or Move confidential information.  If you inadvertently engage in any such activity, please stop testing and contact us immediately at [email protected].  All copies of such information must be securely returned to Move or purged upon submitting the vulnerability to Move.


Please submit a report to us or request additional testing permission before causing damage or engaging in conduct that may be inconsistent with this Policy. If you inadvertently cause a violation of this program Policy, please report the incident immediately to [email protected]

Please note our disclosure program does not provide any monetary or non-monetary reward.