Open For Review: Web Sites That Accept Security Research
So one of the core aspects of my mostly-kidding-but-no-really White Hat Hacker Flowchart is that, if the target is a web page, and it’s not running on your server, you kind of need permission to actively probe for vulnerabilities.
Luckily, there are actually a decent number of sites that provide this permission.
One could make the argument that you can detect who in the marketplace has a crack security team, by who’s willing and able to commit the resources for an open vulnerability review policy.
Some smaller sites have also jumped on board (mostly absorbing and reiterating Salesforce’s policy — cool!):
There’s some interesting implications to all of this, but for now lets just get the list out there. Feel free to post more in the comments!