Envato Product Security
Security and privacy at Envato starts with our values.
At Envato, we understand security and privacy is important because we are in it for the community. This means we’re committed to working with our community, including through our security program to recognize helpful hackers that work with Envato.
Helpful Hacker Program
Our Helpful Hacker program allows our community to report product vulnerabilities to Envato. We operate the program based on the following principles:
- Reported issues will be prioritized based on impact on our community, not based on financial incentives.
- Swift resolution based on impact on our community, aiming for less than 72 hours after the report has been made.
- Reported issues will be disclosed by Envato to the community shortly after resolution of the problem.
- Responsible disclosure, meaning that you give us a fair go in order to resolve the issue before the vulnerability is disclosed to the community. This helps us protect the security and privacy of our community.
Reporting a vulnerability
If you believe you have found a general security vulnerability in an Envato product you can use this form to report the vulnerability to us. We will confirm receipt and follow up with verification and target date for full disclosure following resolution.
For security issues related to your personal account you should contact our friendly Help Team.
Rules
Whilst investigating potential vulnerabilities, you must not:
- Test against any service that isn't owned by Envato. This includes all third party providers despite whether or not they are hosted on an Envato owned/operated subdomain.
- Cause disruption to the availability of any Envato services.
- Attempt to gain access to another user's data or information.
- Impact other users with your testing.
- Attempt non-technical attacks such as social engineering or physical attacks against employees or infrastructure.
- Pivot your approach from one vulnerability to another in order to escalate your access.
- Share sensitive information exposed during the course of finding a vulnerability.
- Violate any laws.
If in doubt, get in touch first!
Scope
Included in scope are any products or services that reside under the following domains that are owned by Envato:
- *.envato.com
- *.envato.net
- *.envato-staging.com
- *.envato-staging.net
- *.envatomarketplaces.com
- *.tutsplus.com
- *.themeforest.net
- *.codecanyon.net
- *.videohive.net
- *.audiojungle.net
- *.graphicriver.net
- *.photodune.net
- *.3docean.net
- *.activeden.net
- *.twenty20.com
- *.reshot.com
- *.milkshake.app
- *.msha.ke
- *.milkshakedev.net
- *.mixkit.co
- camo.envatousercontent.com
- Items for sale or available for download from any of the Envato Marketplaces.
This program does not offer bounties or rewards, financial or otherwise. In recognition of our appreciation, Helpful Hackers will be added to either the Envato Systems Honor Roll or the Envato Author Item Honor Roll, depending on the scope of the vulnerability.
Qualifying vulnerabilities
While not extensive, this list provides some examples of what we are classing as a security vulnerability and will award to Helpful Hackers.
- Authentication or authorization flaws
- Cross-site scripting
- Cross-site request forgery
- Server-side code execution bugs
- Ability to view another user's personal or sensitive data
- Remote code execution
- SQL injection
- Bypassing of security controls or boundaries
Non-qualifying vulnerabilities
- You are not the first person to identify the vulnerability. While we endeavor to address and disclose security reports in a timely manner, it may occur that multiple reports come in for the same issue, in which case we will only award the initial reporter.
- Testing against third party systems/content (even under an Envato subdomain). Any system or content that is not owned/operated by Envato cannot be tested without the system owner's explicit permission. We recommend contacting them and reviewing if they have a bug bounty program before engaging in any testing.
- Vulnerabilities that Envato determines to be an accepted risk.
- Vulnerabilities requiring exceedingly unlikely user interaction or steps to exploit.
- Phishing attacks. We do not accept phishing of users or staff as a security vulnerability that we can manage or mitigate. If you do find one, please don't hesitate to get in touch so we can take some steps to remove it from public consumption.
- Third party plugins or browser based scripts used to enhance or alter the Envato products. If you use a tool to alter how the Envato sites look or interact and you discover a vulnerability with the tool, you are best to disclose the issue to the project maintainer.
- Presence of banner or version information. On its own we don't consider the showing of product version a vulnerability. However, if you find a very outdated version or think it defines a security risk, please get in touch.
- Denial of service attacks. In the interest of service availability, we strongly discourage anyone who uses automated tools that generate significant volumes of traffic that may impact our users.
- General security advice without an identified vulnerability report. While it's appreciated that people reach out to our team regarding general security advice such as not using exposed HTTP query parameters, without an attached vulnerability we will not award the submission as on their own they are not a security risk.
If you are ever unsure about whether the vulnerability you are testing is questionable or may fall into the non-qualifying category, please get in touch with us for guidance.
Honor Roll - Envato Systems
| Name | Dates of reports |
|---|---|
| Hamza Mirawi — Linkedin | 26 February 2023 |
| Syed Sahel — Syed Sahel | 10 December 2022 |
| Muhammad Ali Azhar & Muhammad Mohsin Khan | 12 October 2022 |
| Nicolas Armua | 25 June 2022 |
| Zachary Sims — Zachary Sims | 23 January 2022 |
| Anil Bhatt — @anilbhatt934 | 24 December 2021 |
| Xale Turkish Defacer — xalesecurity.wordpress.com | 23 November 2021 |
| Lunatio — lunatio.com |
|
| Luqman Hakim Yumnun — luqmanhakimy |
|
| Akansha Yadav | 24 June 2021 |
| Hassan Abbas Wadiwala | 28 July 2021 |
| Rahul Das Gupta — Rahul Das Gupta | 27 July 2021 |
| Radhika Mahato — RadhikaMahato4 | 05 July 2021 |
| MD Ozaer (Crypt1cSoul) | 05 July 2021 |
| Abdeali — Abdeali | 31 May 2021 |
| Faizan Ahmad Wani — faizanwani20 | 29 May 2021 |
| Arshad.U — Arshad.U | 29 May 2021 |
| Samprit Das — Samprit Das |
|
| Jay Kumar Pandey — Jay Kumar Pandey | 24 May 2021 |
| S Rahul — S Rahul | 13 May 2021 |
| Daniel Blindu | 10 May 2021 |
| Arjun Singh — Arjun Singh | 23 Apr 2021 |
| Abdelrahman Khaled — Abdelrahman Khaled | 23 Apr 2021 |
| IdZrack — IdZrack | 22 Apr 2021 |
| Ilham — rizzari13 |
|
| Raghuveer Singh Chouhan — Shr3e |
|
| Syed Muhammad Uzair — @ghostuzair | 31 Dec 2020 |
| Roshani Pagare — roshani-p | 26 Sep 2020 (x2) |
| Krishna Harishankar Yadav — krishna-yadav | 14 Aug 2020 (x2) |
| Vijay Farswan | 04 Aug 2020 |
| Ashfaqul Haq — ashfaqul-haq | 22 July 2020 |
| Marek Jilek — mjilek.cz | 19 June 2020 |
| Hoang Quoc Thinh — www.vng.com.vn |
|
| Anas Khan | 05 Jun 2020 |
| Kamran Javed — kamranjaved | 21 May 2020 |
| Aditra Andri Laksana — @Wayc0de | 16 May 2020 |
| Santosh S Kumbhar | 01 May 2020 |
| Khaled Ben Ali — khaled-khaled | 06 Apr 2020 |
| Markos Bersimis — markbersimis | 24 Mar 2020 |
| Taha Smily — taha-smily | 20 Mar 2020 |
| Nitin Santosh Gavhane — nitin-gavhane | 09 Nov 2019 |
| Volodymyr "Bob" Diachenko — vdyachenko, @mayhemdayone | 18 Oct 2019 |
| Prakash Kumar Parthasarathy | 15 Oct 2019 |
| Eddie — zodiacgenie.com | 8 Oct 2019 |
| Rafid Hasan Khan — linkedin | 3 Oct 2019 |
| Hamza Farooqi — Hamza Farooqi, Hamza.Farooqii | 29 Sep 2019 |
| M. Arslan Kabeer — talha03066 |
|
| Wai Yan Aung — @waiyanaun9 |
|
| Muhammad Fauzan | 2 Sep 2019 |
| Sohail Ahmed — mohammad.sohail.522 | 2 Aug 2019 |
| Teguh Aprianto — teguh.co |
|
| Mustafa Diaa — @c0braBaghdad1 | 23 May 2019 |
| Ketan Madhukar Mukane — eSec Haxor | 19 May 2019 |
| Fabergé — hackerone.com/faberge | 20 Mar 2019 |
| Shady Gamal | 21 Jan 2018 |
| Sakhavat Ismayilov — fs-code.com | 01 Oct 2018 |
| RootBakar — Roholesi Talaohu | 19 Sep 2018 |
| Kirill Lemeshkin — ArtRecordsSoundWaves | 31 Aug 2018 |
| Abdillah Muhamad — abdilahrf.github.io | 31 Aug 2018 |
| Ibnu Batutah Zarizal — @batutahibnu17 | 26 Aug 2018 |
| Rohit Dalvi — infovys.com | 16 Jul 2018 |
| NetSecAndy — @NetSecAndy1 | 14 Jul 2018 |
| Syed Ashik Mahmud — ashthemes.com | 12 Jul 2018 |
| Abdelouahed Errouaguy — www.erropix.com | 02 Apr 2018 |
| I_am_botman — @botmaan | 29 Mar 2018 |
| Barrett Adams — @peewpw | 8 Mar 2018 |
| Muhammad Ibnuh — @ibnuhx | 27 Feb 2018 |
| Md. Nur A Alam Dipu — @Dipu1A | 28 Jan 2018 |
| Jaikishan Tulswani — @_iamjk | 6 Jan 2018 |
| Christian Hakizimana — kapp.rw | 20 Dec 2017 |
| Akalanka Ekanayake | 9 Nov 2017 |
| SerHack — serhack.me | 28 Sep 2017 |
| Vineet Kumar — Vineet Kumar | 12 Sep 2017 |
| Alexander Sidukov — @cyberopus | 18 Aug 2017 |
| Abdelali Khalfi — Abdelali | 2 Aug 2017 |
| Ivan Danilov — coderast | 29 Jun 2017 |
| Piyush Kumar — silverpoisionhub.blogspot.in | 20 Jun 2017 |
| Himanshu Rahi — himanshu.rahi.31 | 9 Jun 2017 |
| Gamiel Xavier V. Manbiotan | 30 May 2017 |
| Shawar Khan — shawarkhanskofficial | 22 May 2017 |
| Mohammed Israil | 7 May 2017 |
| Alfie Njeru — the-infosec.com | 4 May 2017 |
| Gaurav Kumar — drago4344 | 2 May 2017 |
| Syed Muhammad Abdul Karim | 27 Mar 2017 |
| Yasin Soliman — @SecurityYasin | 8 Feb 2017 |
| Kenan Genç — @hackergnc | 7 October 2016 |
| Dave Baker — dtbaker.net | 1 October 2016 |
| Alex Crivion — crivion.com | 8 Sep 2016 |
| Aaysha Khilji — @a1ksecurity | 26 Aug 2016 |
| Muhammad Abdullah — root.abdullah | 03 Apr 2016 |
| Eden Alon — eden.alon12 | 31 Mar 2016 |
| Koen Rouwhorst — www.koenrouwhorst.nl | 11 Jan 2016 |
| Ramin Farajpour Cami — Saminray | 8 Sep 2015 |
| Syed Daniyal Bin Rashid — DaN1.mrcopypaste SaifAllah benMassaoud — WhiteHatSecuri | 4 Sep 2015 |
| Ahmed Jerbi — Web Plus | 3 Sep 2015 |
| Zeeshan — zeex.zeeshan | 27 Aug 2015 |
| Sumit Sahoo — 54H00 | 5 Jul 2015 |
| BALAJI P R — linkedin | 30 Dec 2014 |
| Sam Berson — @SamBerson | 29 Oct 2014 |
| Geert Smelt — @gasmelt | 19 Sep 2014 |
| Sajjad Hashemian — @skinodcom | 11 Aug 2014 |
| Mazen Gamal Mesbah — @MazenGamal | 20 Aug 2014 |
| Michael Wihl — gewora.net | 31 Jul 2014 |
| Tran Doan San — @doansan | 2 July 2014 |
| Bogdan Sergiu Dragos | 7 June 2014 |
| Kamil Sevi — @kamilsevi | 20 May 2014 |
| Amir Sohail | 08 May 2014 |
| Christy Philip Mathew — @christypriory | 30 Apr 2014 |
| Moujahed Jmal | 05 Apr 2014 |
| Mahadev Subedi | 18 Mar 2014 |
| Ahmad Ashraff | 18 Mar 2014 |
| Shpend Kurtishaj | 11 Mar 2014 |
| Abhishek Gahlot | 1 Feb 2014 |
| Chetan Soni — @iamchetansoni | 25 Nov 2013 |
| Janne Ahlberg | 1 Nov 2012 |
| Dejan Marjanovic | 1 Dec 2011 |
Honor Roll - Envato Author Items
| Name | Dates of reports |
|---|---|
| Badshah — LinkedIn |
|
| Darshan Kulkarni — LinkedIn |
|
| Umair Farooqui — LinkedIn |
|
| Visse ☆ — visse |
|
| Sahil Gaikwad — LinkedIn | 16 Dec 2020 |
| Teguh Aprianto — teguh.co |
|
| Nirav Sikotaria — iamniravsikotaria |
|
| Aaryan Saharan — @aaryansaharan |
|
| Nils Putnins — seq.science |
|
| Ashik Mahmud ☆ — ashik685.me |
|
| Deepak Holani — deepak.holani.5 | 3 Oct 2017 |
| Anthony Briand — www.qurium.org |
|
| Dawid Golunski — legalhackers.com | 26 May 2017 |
| Arbin Godar |
|
| João Pina — Twitter | 16 Dec 2016 |
| SWTE — on CodeCanyon | 25 Nov 2016 |
| rem1nd — @rem1nd_ | 24 Oct 2016 |
| Daniel Z | 03 May 2016 |
| Oszkar Bencsik | 30 Mar 2016 |
| Rahul Pratap Singh — 0x62626262.wordpress.com |
|
| Bevan Rudge — www.js.geek.nz | 25 Mar 2015 |
| Brett Chance — @uraniagroup | 11 Sep 2014 |
| Milan A Solanki | 21 July 2014 |
| Ajay Singh Negi — @AjaySinghNegi Prashant Negi — @prashantnegi_ Mahipal Singh Rajpurohit | 15 July 2014 |