Reverse engineering, use of undocumented API endpoints

andypiper · 2015-02-08T13:14:35.200Z

Continuing the discussion from Group DM support via the APIs?:

Would this section also affect reverse engineering for security research? From my experience Twitter accepts reports of security problems even if the affected endpoint is a private one, without consequences for the researcher. (It might be good to clarify this somewhere as I wasn’t sure about it, so when I reported my issue I even made a new Twitter account just for this purpouse, as the report form requires to enter one)

This is a good discussion although heading off-topic, so I’m starting a new one if anything it suggests that we could probably clarify the wording around this the next time we revise the policy and agreement. Thanks for the really helpful input!

(you’re right that we do indeed accept reports of security issues, via HackerOne)