Vulnerability Disclosure Policy
We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Salv until we have resolved the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly;
- Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Out of scope
- UI and UX bugs and spelling mistakes
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Any services hosted by 3rd party providers and services.
The following potential issues are not considered in scope:
- Lack of rate limiting on any resources
- Password policy issues, including lack of upper limit on passwords
- SPF/DKIM/DMARC configuration issues
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner or version disclosure on common/public services/of any kind.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Clickjacking issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Username enumeration via Login Page error message
- Username enumeration via Forgot Password error message
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers, specifically (https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)
- Self-XSS issues
Things we do not want to receive:
- Personally identifiable information (PII)
- DoS and overloading server with many requests or large requests
- Accessing and copying our customer data
- Conducting research against our partners and customers
- Abusing our services to conduct fraud
- Use of automated scanning tools
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected].
Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Your name/handle and a link for recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our [PGP key].
Note: We do not currently offer bounties or other rewards for submitted vulnerability reports.
Please note that we will be processing your data in connection with your report and our internal processes.
If you wish to report the issue anonymously, please state this in your communication, and we will not contact you or retain your personal information.