Responsible Disclosure Policy

We welcome reports from security researchers about potential vulnerabilities across our platforms. The confidentiality and integrity of our users' data is our highest priority, and we value the work of the security community in helping us maintain it.

Scope

In-scope properties

• Adverts.ie
• Daft.ie
• DoneDeal.ie
• Eskimo-Software.com
• Gumtree.ie
• Distilled.ie
• Property.ie
• Rent.ie
• PropertyPal.com
• PropertyNews.com
• UsedCarsNI.com

This includes the main web applications, public-facing APIs, and subdomains of the above properties.

Out of scope

The following are not eligible for a bounty and should not be tested:

• Denial-of-service (DoS/DDoS) attacks
• Social engineering, phishing, or physical attacks against Distilled staff or offices
• Automated scanning or brute-force attacks
• Attacks against third-party services or integrations we use
• Attacks requiring physical access to a user's device
• Reports based solely on automated scanner output without a demonstrated, exploitable vulnerability
• Issues in third-party libraries unless you can demonstrate a direct, exploitable impact on our platforms

Commonly reported issues we do not reward

To save you time, the following are known or accepted and will not qualify for a bounty:

• Missing HTTP security headers (e.g., Permissions-Policy, X-Content-Type-Options) without a demonstrated exploit
• SPF, DKIM, or DMARC configuration observations
• Clickjacking on pages with no state-changing actions
• Self-XSS (where the user can only attack themselves)
• Login or logout CSRF
• Missing rate limiting on non-authentication endpoints
• Content injection without a clear security impact (e.g., text-only injection with no script execution)
• Cookie flags or attributes without a demonstrated exploit path
• Open redirects that do not lead to token theft or credential exposure
• Verbose error messages or stack traces that do not reveal sensitive data
• Software version disclosure
• Email flooding via application features (e.g., share via email, invite a friend, forgot password)
• Cross-site scripting (XSS) that only executes in a third-party application (e.g., an email client rendering a notification email)

Rules of Engagement

By participating in this programme, you agree to the following:

• Do not access, modify, or delete data belonging to other users. If you need to demonstrate impact, use your own test accounts.
• Do not perform any testing that degrades the availability or performance of our services.
• Do not exfiltrate data beyond the minimum required to demonstrate the vulnerability.
• Do not disclose any vulnerability publicly until we have confirmed it has been resolved.
• Report vulnerabilities promptly after discovery.
• If the same vulnerability exists across multiple Distilled properties, submit a single report covering all affected platforms. We treat cross-platform instances of the same issue as a single vulnerability.

Safe Harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. If you act in compliance with this policy, we consider your research to be authorised and will not initiate legal action against you.

What Makes a Good Report

A well-written report helps us verify and resolve issues faster. Please include:

• Description of the issue – What is the vulnerability? Which property and URL/endpoint is affected?
• Steps to reproduce – Clear, step-by-step instructions that allow us to reliably reproduce the issue. Include request/response details, screenshots, or proof-of-concept code where relevant.
• Suggested mitigation – If you have a recommendation for how to fix the issue, we'd welcome it.

Where applicable, referencing a relevant CWE, CVE, or OWASP Top 10 category helps us assess and prioritise your report more effectively.

Reports that lack clear reproduction steps or rely solely on automated tool output will be deprioritised.

What Happens After You Submit

1. You will receive an automated acknowledgement when your report is submitted.
2. Our security team will review your report and may reach out if we need additional information. Please be patient – our team handles reports alongside other responsibilities, and thorough verification takes time.
3. If the vulnerability is confirmed, we will work to resolve it and notify you of the outcome.
4. Bounty payments are made at our discretion based on the confirmed severity and impact of the vulnerability.

Please allow us adequate time to investigate and address your report. This process can take several weeks depending on complexity. We will contact you directly when we have an update – there is no need to follow up in the meantime. Unsolicited follow-up messages will not expedite the process.

How to Submit a Report

This form is the only way we accept vulnerability reports. Reports sent via email, social media, or any other channel will not be acknowledged and are not eligible for a bounty. Please do not contact Distilled employees directly – use the form below.

If you believe you have discovered a vulnerability in any of our platforms, please submit your report using the button below.