Skip to main content
Security policy

Our security policy

Short Stories recognises the value that external security researchers can bring to the security of Short Stories systems, and we welcome and seek to reward eligible contributions from security researchers, as outlined below. If you believe that you have found a security vulnerability on Short Stories, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines and scope of the programme.

Responsible Research and Disclosure Policy

In order for you to participate in the programme, we require that:

  • You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorised access to data.
  • If you inadvertently access another person's data or Short Stories company data without authorisation while investigating an issue, you must promptly cease any activity that might result in further access of user or Short Stories company data and notify Short Stories which information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefits described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
  • You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside your own account, a test account or another account for which you have the explicit written consent of the account owner to test. (This includes demonstrating additional risk, such as the risk that the security issue could be used to compromise sensitive company data or another user's account.)
  • You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.

Safe Harbor Provisions

  • We consider these terms to provide you authorisation to test the security of the products and systems identified as in-scope below. These terms do not give you authorisation to intentionally access company data or data from another person's account without their express consent, including (but not limited to) personally identifiable information or data relating to an identified or identifiable natural person.
  • If Short Stories determines in its sole discretion that you have complied in all respects with these Bug Bounty Programme Terms in reporting a security issue to Short Stories, we will not initiate a complaint to law enforcement or pursue a civil action against you. Short Stories will also not pursue legal action for against you for clear accidental or good faith violations of its policy or these terms.
  • If legal action is initiated by a third party against you for conduct that Short Stories determines to have complied with these Bug Bounty Programme Terms, Short Stories will take steps to make it known, either to the public or the court, that your actions were authorised under this programme.

Bug bounty programme processes

We recognise and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at Short Stories discretion, based on risk, impact and other factors. To be considered for a bounty, you must meet the following requirements:

  • Adhere to our Responsible Research and Disclosure Policy and Safe Harbor Provisions (see above).
  • Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Short Stories ultimately determines the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.
  • Report a security bug involving one of the products or services that are within the scope of the programme (see "Bug bounty scope" below). We specifically exclude certain types of potential security issues, listed under "Out of scope" and "False positives" (see below).
  • Submit your report directly to us and respond to any follow-up requests from our staff for updates or further information.
  • Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account you are authorised to use (except for automated testing). Do not use or interact with any real account belonging to another person without explicit written consent of the account owner.
  • Before engaging in any action that may be inconsistent with or unaddressed by these terms of service, contact us for clarification by submitting a new submission with your question.

In turn, we will follow these guidelines when evaluating reports under our bug bounty programme:

  • We investigate and respond to all valid reports. We prioritise evaluations based on risk and other factors, and it may take some time before you receive a reply.
  • We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report. If we pay a bounty, the minimum reward is £30 GBP for minor issues up to £250+ GBP for major issues. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
  • We will generally pay lower reward amounts for in-scope vulnerabilities that are only exploitable through outdated versions of non-Short Stories developed software (e.g. a web browser), but we will still consider such reports.
  • We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change over time. Past rewards do not necessarily guarantee similar results in the future.
  • In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Short Stories determines duplicates at its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
  • You may donate a bounty to a recognised charity (subject to approval by Short Stories).
  • We reserve the right to publish reports (and accompanying updates).

To donate your reward, contact us with the following information:

  • the report ID for which you want to donate the bounty
  • the name and website of the charity you want to donate to
  • whether you want to be named as the donour or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name

We may retain any communications about security issues you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

Bug bounty scope

To be eligible for a bounty, you can report a security bug in Short Stories.

Out of scope

  • Spam or social engineering techniques.
  • Denial-of-service attacks.
  • Content injection. Posting content on Short Stories is a core feature, and content injection (also "content spoofing" or "HTML injection") is out of scope unless you can clearly demonstrate a significant risk.

Performing your research

Do not impact other users with your testing, this includes testing vulnerabilities in accounts or content you do not own. If you are attempting to find an authorisation bypass, you must use accounts you own.

The following are never allowed and are ineligible for reward. We may suspend your Short Stories account and ban your IP address for:

  • Performing distributed denial of service (DDoS) or other volumetric attacks
  • Spamming content
  • Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.
    • Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 45,000 requests in two minutes using Burp Suite Intruder is excessive.

Stop immediately if you believe you have affected the availability of our services.

False positives

  • Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).
  • Note that public information also includes your username, ID, name, current cover photo and anything that you've shared publicly.
  • Sending messages to anyone on Short Stories.
  • Accessing photos via raw image URLs from our CDN (Content Delivery Network).

Handling personally identifiable information (PII)

Personally identifying information (PII) includes:

  • legal and/or full names
  • names or usernames combined with other identifiers like phone numbers or email addresses
  • health or financial information (including insurance information, social security numbers, etc.)
  • information about political or religious affiliations
  • information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes

Do not intentionally access others’ PII. If you suspect a service provides access to PII, limit queries to your own personal information.

Report the vulnerability immediately and do not attempt to access any other data. The Short Stories team will assess the scope and impact of the PII exposure.

Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned

You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.

We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.

Reporting your vulnerability

Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form only may be ineligible for a reward.

When reporting vulnerabilities do not post information to video-sharing or pastebin sites. Videos and images can be shared directly via communications.

For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.

During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.

Submissions must be sent to [email protected].

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States or United Kingdom restricted export control list, or are on a United States or United Kingdom state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these program terms do not apply retroactively. Thank you for helping us make Medium more secure.

This version includes references to both the USA and UK to ensure the policy is relevant to participants from both regions.