Responsible Disclosure Program

Last updated: 23 February 2026

Responsible Disclosure

Forage and EAB are committed to maintaining the security of our platforms.

While we do not operate a formal bug bounty or provide monetary rewards, we actively support responsible disclosure and welcome reports from the security research community.

If you believe you’ve identified a vulnerability, please contact us so we can investigate and remediate as appropriate. Send your bug/vulnerability report to: [email protected]

Scope / Coverage

Only the following subdomains are classified in-scope:

www.theforage.com

All other endpoints are out-of-scope.

Ineligible Bugs

We classify the following as ineligible:

Vulnerabilities on third party tools that we use (unless they lead to a vulnerability on our main system - lateral movement)
Vulnerabilities that rely on physical attacks, social engineering, spamming, denial of service (DoS) attacks, etc.
Vulnerabilities affecting outdated hardware and software
Vulnerabilities discovered from automated tools
Vulnerabilities in third-party APIs
Vulnerabilities that have already been reported
Vulnerabilities that do not have a working proof-of-concept / practical demonstration
Vulnerabilities already known to us
Vulnerabilities that we can't reproduce
Vulnerabilities that we cannot realistically fix

We already know about the following issues:

Misconfigured SPF / DMARC / DKIM / DNSSec settings
Misconfigured SSL/TLS settings
Lack of reCAPTCHA / rate limits
Lack of auto sign-out after a period of inactivity
Lack of re-authentication for account actions
Lack of Cookie flags
Lack of email verification/notification
MFA Bypass that use Google OAuth
Password reset token leakage
Known-vulnerable libraries which lead to low-impact vulnerability (e.g. outdated jQuery)
CORS misconfigurations which leak the /info websocket endpoint (other websocket findings are accepted)
Google Maps API key disclosure
Best practice issues that are not directly related to security posture, such as password strength, validation of data types and length
Self-exploitation (self-XSS, password reset links or cookie reuse)
- If you are able to escalate to persistent/stored XSS, it will be acceptable and eligible
Session management on concurrent sign in / signup / email change / password change / etc.
Pre-account takeover using Google
Account enumeration using brute-force attacks
- Valid account enumeration without bruteforcing is acceptable and eligible
EXIF metadata on image uploads

Reporting Process

Send your bug report / vulnerability report to: [email protected].

Due to the large amount of emails received daily, we might not be able to respond to all reports for out-of-scope/ineligible vulnerabilities.

Please make sure to check out our ineligible bugs before submitting a report. Do not use automated scanning tools.

Include as much information as possible including a description of the bug, its impact, severity, and steps for reproducing the vulnerability. If possible, please include a remediation strategy.

We must be able to reproduce the vulnerability through a proof of concept (PoC) or technical steps of reproduction.

Wall of Fame

Special thanks to past contributors:

Ch Chakradhar
Zeeshan Khalid
karthickumar (Ramanathapuram)
Waqar Vicky
Amiya Behera
Mohour Tarun - Chede Abhaychandra
Swapnil Patil
Prakash Kumar Parthasarathy
Aman Rai
Leo Starcevic
Agung S Ch Lages
Gayatri Rachakonda
Ayon Hasan (lollipop1337)
Anurag Muley
Manikanta Payasam
Ertuğrul Özdemir
Vikash Maurya
Akash Sebastian
Manojkumar J
Hunter_Sherlock (Mariam Tariq)
Ashish Chaubey
k.Pugazhiniyan (Ramanathapuram)
Maturaf
Hacker Bro Technologies
Nallendhiran.R
Shailendra Singh sachan
Yogesh Bhandage
Deepak Dhiman
courage lotsu
Saajan Bhujel
Samir Gondaliya
Shripad Rachha (protector_5512)
soman verma
Aditya Singh
Aditya
Aswathi GS
Arjuna K S
Sumit Grover (sumgr0)

Responsible Disclosure

Forage and EAB are committed to maintaining the security of our platforms.

While we do not operate a formal bug bounty or provide monetary rewards, we actively support responsible disclosure and welcome reports from the security research community.

If you believe you’ve identified a vulnerability, please contact us so we can investigate and remediate as appropriate. Send your bug/vulnerability report to: [email protected]

Ineligible Bugs

We classify the following as ineligible:

Vulnerabilities on third party tools that we use (unless they lead to a vulnerability on our main system - lateral movement)

Vulnerabilities that rely on physical attacks, social engineering, spamming, denial of service (DoS) attacks, etc.

Vulnerabilities affecting outdated hardware and software

Vulnerabilities discovered from automated tools

Vulnerabilities in third-party APIs

Vulnerabilities that have already been reported

Vulnerabilities that do not have a working proof-of-concept / practical demonstration

Vulnerabilities already known to us

Vulnerabilities that we can't reproduce

Vulnerabilities that we cannot realistically fix

We already know about the following issues:

Misconfigured SPF / DMARC / DKIM / DNSSec settings

Misconfigured SSL/TLS settings

Lack of reCAPTCHA / rate limits

Lack of auto sign-out after a period of inactivity

Lack of re-authentication for account actions

Lack of Cookie flags

Lack of email verification/notification

MFA Bypass that use Google OAuth

Password reset token leakage

Known-vulnerable libraries which lead to low-impact vulnerability (e.g. outdated jQuery)

CORS misconfigurations which leak the /info websocket endpoint (other websocket findings are accepted)

Google Maps API key disclosure

Best practice issues that are not directly related to security posture, such as password strength, validation of data types and length

Self-exploitation (self-XSS, password reset links or cookie reuse)

If you are able to escalate to persistent/stored XSS, it will be acceptable and eligible

Session management on concurrent sign in / signup / email change / password change / etc.

Pre-account takeover using Google

Account enumeration using brute-force attacks

Valid account enumeration without bruteforcing is acceptable and eligible

EXIF metadata on image uploads

Reporting Process

Send your bug report / vulnerability report to: [email protected].

Due to the large amount of emails received daily, we might not be able to respond to all reports for out-of-scope/ineligible vulnerabilities.

Please make sure to check out our ineligible bugs before submitting a report. Do not use automated scanning tools.

Include as much information as possible including a description of the bug, its impact, severity, and steps for reproducing the vulnerability. If possible, please include a remediation strategy.

We must be able to reproduce the vulnerability through a proof of concept (PoC) or technical steps of reproduction.

Wall of Fame

Special thanks to past contributors:

Ch Chakradhar

Zeeshan Khalid

karthickumar (Ramanathapuram)

Waqar Vicky

Amiya Behera

Mohour Tarun - Chede Abhaychandra

Swapnil Patil

Prakash Kumar Parthasarathy

Aman Rai

Leo Starcevic

Agung S Ch Lages

Gayatri Rachakonda

Ayon Hasan (lollipop1337)

Anurag Muley

Manikanta Payasam

Ertuğrul Özdemir

Vikash Maurya

Akash Sebastian

Manojkumar J

Hunter_Sherlock (Mariam Tariq)

Ashish Chaubey

k.Pugazhiniyan (Ramanathapuram)

Maturaf

Hacker Bro Technologies

Nallendhiran.R

Shailendra Singh sachan

Yogesh Bhandage

Deepak Dhiman

courage lotsu

Saajan Bhujel

Samir Gondaliya

Shripad Rachha (protector_5512)

soman verma

Aditya Singh

Aditya

Aswathi GS

Arjuna K S

Sumit Grover (sumgr0)