BUG BOUNTY POLICY
Our company welcomes security researchers to responsibly research our
platform with the goal of making it safer for our customers.
We offer recognitions and rewards for the discovery of eligible
vulnerabilities in accordance with this policy.
If you think you have found a vulnerability in airSlate’s
platforms, integrations, or client libraries, please submit
a vulnerability report to us as soon as possible
by emailing
security_report@airslate.com
Only reports that meet all of the following requirements are eligible
to receive a monetary reward:
- You must be the first reporter of the vulnerability;
-
The vulnerability must demonstrate security impact to a site
or application that is within the scope of this program,
as described below;
-
You must not have compromised the privacy of our users
or otherwise violated our Privacy Notice or Data Protection
Addendum;
- You must not have publicly disclosed the vulnerability;
-
You must have otherwise complied with this policy and the applicable
laws and all rules and provisions of this policy.
To submit a vulnerability report, please provide as much
evidence as possible, including but not limited to: reproduction
steps, screenshots, account information and any other details that would
allow us to verify your vulnerability. By submitting
a report, you are indicating that you have read, understand, and
agree to the terms of this policy.
PROGRAM RULES
-
Avoid compromising any personal data, interruption, or degradation
of any service.
-
Avoid using automated tools that create massive traffic.
-
Don't violate the privacy of other users.
-
Don’t use discovered vulnerabilities to harm our platform.
-
Don’t access or modify other user data, localize all tests to your
accounts.
-
Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks
or spam.
-
Don’t publicly disclose discovered vulnerabilities or share private
information.
-
You must comply with all applicable laws in connection with your
research activities and participation in this program.
-
Don’t harm and do not exploit any vulnerability beyond the minimal
amount of testing required to prove that a vulnerability exists or
to identify an indicator related to a vulnerability.
-
Do not extract any data under any circumstances.
-
Do not intentionally compromise the intellectual property or other
commercial or financial interests of us or any third parties.
-
Do not submit high-volume or low-quality reports.
-
If at any point you are uncertain whether to continue testing, please
engage with our team.
Please allow us at least 5 (five) business days to confirm the receipt
of your vulnerability. An eligible report will be reviewed and responded
to within a commercially reasonable time. We reserve the right not to
provide any substantive response to any reports which we deem to be
outside the scope of this policy or that we find abusive or redundant.
The decision as to whether your report is eligible for this program and
what reward, if any, is due will be made by us in our sole discretion,
and such decision is final and non-appealable. Although we may choose to
share information with you, please understand that you do not have the
right to be notified of the reason why your report was accepted or
rejected or of any follow-up or other information related to your report
or the vulnerability you reported. As part of your compliance with this
policy, upon request, and in any case as a condition to receiving a
reward hereunder, you agree to sign a non-disclosure agreement
acceptable to airSlate in its sole discretion. We do not permit any
person or entity to engage in any security research or vulnerability or
threat disclosure activity that is inconsistent with this policy or the
law.
We may modify the terms of this policy or terminate the policy at any
time.
IN-SCOPE VULNERABILITIES
This policy covers vulnerabilities found in the websites,
applications, and systems owned by airSlate and its affiliates,
including the following websites:
-
*.airslate.com
-
*.signnow.com
-
*.pdffiller.com
Without limiting our discretion as set forth in this policy, the
following are some examples of vulnerabilities that may
be within the scope of this policy with the respective estimated
levels of severity.
-
Examples of Critical Impact Vulnerabilities:
-
Unauthorized access to gain full control over customer accounts
- Ability to access and modify customer personal data
-
Code execution on production systems with sensitive data and
functionality
-
Unauthorized access to administrative portals used in production
- Ability to write data in misconfigured S3 buckets
- Remote Code Execution (RCE) in services with PII
-
SQL\NoSQL Injection with significant impact on production systems
-
Authentication bypass with significant impact on production systems
-
Insecure Direct Object Reference (IDOR) with account takeover or
ability to change/delete other users’ data
-
Examples of High Impact Vulnerabilities:
- SQL\NoSQL Injection
- OS Command Injection
-
Ability to view sensitive data in misconfigured S3 buckets (e.g.
inadvertent exposure of sensitive data)
- Remote Code Execution in services without PII
-
Cross-Site Request Forgery resulting in significant security or
privacy impact on customer personal data
- HTTP Request Smuggling
-
Examples of Medium Impact Vulnerabilities:
- Misconfigurations resulting in information leaks
- Cross-Site Scripting (XSS) - Stored
-
Open services with internal services data (e.g. service logs,
internal configuration information, printing error dumps in
production services)
- Insecure Direct Object Reference (IDOR)
- Server-Side Request Forgery (SSRF)
- HTTP Response Splitting
-
Examples of Low Impact Vulnerabilities:
-
Issues that would fall into a higher severity tier if not for a
mitigating factor
- HTML injection
- Cross-Site Request Forgery (CSRF)
- Captcha Bypass
- Path Traversal
- Subdomain Takeover
OUT-OF-SCOPE
Although we welcome feedback on anything you may perceive
as a vulnerability, no reward will be paid for any
vulnerability that does not meet all the eligibility requirements
of this policy. The following is a non-exclusive list
of vulnerabilities which are not eligible for reward under this
Program:
- UI and UX bugs and spelling or localization mistakes
-
Descriptive error messages (e.g. Stack Traces, application or server
errors)
- Vulnerabilities in third-party applications
- Publicly accessible login panels without proof of exploitation
-
Reports that state that software is out of date/vulnerable without a
proof of concept
-
Host header issues without proof-of-concept demonstrating the
vulnerability
- HTTP codes/pages or other HTTP non-codes/pages
- Fingerprinting/banner disclosure on common/public services
-
Disclosure of known public files or directories, (e.g. robots.txt)
-
Clickjacking/UI Redressing and bugs that require unlikely user
interaction or phishing
- Missing HTTP security headers
- Missing Secure/HTTPOnly flags on non-sensitive Cookies
-
Password and account recovery policies, such as reset link expiration or
password complexity
-
CSRF in forms that are available to anonymous users (e.g. the contact
form)
- Login & Logout CSRF
- Open redirects with low security impact
-
Presence of application or web browser “autocomplete” or “save password”
functionality
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site
- Content injection issues
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Vulnerabilities that cannot be used to exploit other users
- Reflected File Download (RFD)
-
Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
-
DNS issues (e.g. mx records, SPF, DKIM and DMARC records, etc.)
- Server configuration issues (e.g., open ports, TLS, etc.)
-
Vulnerabilities only affecting users of outdated or unpatched browsers
and platforms
- Issues that require physical access to a victim’s computer
-
Physical or social engineering attempts (this includes phishing attacks
against employees)
- Recently disclosed zero-day vulnerabilities
- Microsites with little to no user data
- Most brute-forcing issues
- Denial of service
- Spamming
- Cross-site Scripting (XSS) - Reflected
- Cross-site Scripting (XSS) - DOM
- Plain-text authentication via HTTP
- User Enumeration
- Open Redirect
- Weak Password Recovery Mechanism for Forgotten Password
- File and Directory Information Exposure
- Information Exposure Through Debug Information
- Session fixation
- No rate limit vulnerabilities
GOOD REPORTS
A good report under this policy would normally include the following:
-
Summary: Your report should start with a brief summary
introducing the reader to your finding.
-
Vulnerability Description: This section describes all
the details related to your finding. Make the technical points clear and
explain what causes the issue.
-
Proof of Concept: Report with a Proof-of-Concept code
will allow us to assess your submission more quickly and accurately. The
Proof-of-Concept section should contain:
-
request and response (BurpSuite, OwaspZap) with both positive and
negative scenarios to examine its durability and document the
results;
- screenshots with product's vulnerable functionality; and
- a video describing potential vulnerability exploitation.
-
Mitigation: You can link to the relevant OWASP
Prevention cheat sheet or other security documents.
BAD REPORTS
The following reports are most likely to be dismissed or not eligible for
reward.
- Most best-practices-based reports will be dismissed.
-
Reports that are not directly related to the in-scope systems will most
likely be dismissed.
-
Reports that are plain copy-paste from automated scanners with no
thought behind how to exploit the findings will most likely have a low
or no bounty awarded.
- Purely theoretical issues with no proof of real-life impact.
FEEDBACK
If you have any questions, suggestions, or feedback, please contact us at
security_report@airslate.com
Thank you for helping us keep airSlate and our users safe.