BUG BOUNTY POLICY
Our company welcomes security researchers to responsibly research our platform with the goal of making it safer for our customers. We offer recognitions and rewards for the discovery of eligible vulnerabilities in accordance with this policy.
If you think you have found a vulnerability in airSlate’s platforms, integrations, or client libraries, please submit a vulnerability report to us as soon as possible by emailing [email protected]
Only reports that meet all of the following requirements are eligible to receive a monetary reward:
- You must be the first reporter of the vulnerability;
- The vulnerability must demonstrate security impact to a site or application that is within the scope of this program, as described below;
- You must not have compromised the privacy of our users or otherwise violated our Privacy Notice or Data Protection Addendum;
- You must not have publicly disclosed the vulnerability;
- You must have otherwise complied with this policy and the applicable laws and all rules and provisions of this policy.
To submit a vulnerability report, please provide as much evidence as possible, including but not limited to: reproduction steps, screenshots, account information and any other details that would allow us to verify your vulnerability. By submitting a report, you are indicating that you have read, understand, and agree to the terms of this policy.
PROGRAM RULES
- Avoid compromising any personal data, interruption, or degradation of any service.
- Avoid using automated tools that create massive traffic.
- Don't violate the privacy of other users.
- Don’t use discovered vulnerabilities to harm our platform.
- Don’t access or modify other user data, localize all tests to your accounts.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- Don’t publicly disclose discovered vulnerabilities or share private information.
- You must comply with all applicable laws in connection with your research activities and participation in this program.
- Don’t harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- Do not extract any data under any circumstances.
- Do not intentionally compromise the intellectual property or other commercial or financial interests of us or any third parties.
- Do not submit high-volume or low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
Please allow us at least 5 (five) business days to confirm the receipt of your vulnerability. An eligible report will be reviewed and responded to within a commercially reasonable time. We reserve the right not to provide any substantive response to any reports which we deem to be outside the scope of this policy or that we find abusive or redundant. The decision as to whether your report is eligible for this program and what reward, if any, is due will be made by us in our sole discretion, and such decision is final and non-appealable. Although we may choose to share information with you, please understand that you do not have the right to be notified of the reason why your report was accepted or rejected or of any follow-up or other information related to your report or the vulnerability you reported. As part of your compliance with this policy, upon request, and in any case as a condition to receiving a reward hereunder, you agree to sign a non-disclosure agreement acceptable to airSlate in its sole discretion. We do not permit any person or entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law.
We may modify the terms of this policy or terminate the policy at any
time.
IN-SCOPE VULNERABILITIES
This policy covers vulnerabilities found in the websites, applications, and systems owned by airSlate and its affiliates, including the following websites:
- *.signnow.com
- *.pdffiller.com
Without limiting our discretion as set forth in this policy, the following are some examples of vulnerabilities that may be within the scope of this policy with the respective estimated levels of severity.
-
Examples of Critical Impact Vulnerabilities:
- Unauthorized access to gain full control over customer accounts
- Ability to access and modify customer personal data
- Code execution on production systems with sensitive data and functionality
- Unauthorized access to administrative portals used in production
- Ability to write data in misconfigured S3 buckets
- Remote Code Execution (RCE) in services with PII
- SQL\NoSQL Injection with significant impact on production systems
- Authentication bypass with significant impact on production systems
- Insecure Direct Object Reference (IDOR) with account takeover or ability to change/delete other users’ data
-
Examples of High Impact Vulnerabilities:
- SQL\NoSQL Injection
- OS Command Injection
- Ability to view sensitive data in misconfigured S3 buckets (e.g. inadvertent exposure of sensitive data)
- Remote Code Execution in services without PII
- Cross-Site Request Forgery resulting in significant security or privacy impact on customer personal data
- HTTP Request Smuggling
-
Examples of Medium Impact Vulnerabilities:
- Misconfigurations resulting in information leaks
- Cross-Site Scripting (XSS) - Stored
- Open services with internal services data (e.g. service logs, internal configuration information, printing error dumps in production services)
- Insecure Direct Object Reference (IDOR)
- Server-Side Request Forgery (SSRF)
- HTTP Response Splitting
-
Examples of Low Impact Vulnerabilities:
- Issues that would fall into a higher severity tier if not for a mitigating factor
- HTML injection
- Cross-Site Request Forgery (CSRF)
- Captcha Bypass
- Path Traversal
- Subdomain Takeover
OUT-OF-SCOPE
Although we welcome feedback on anything you may perceive as a vulnerability, no reward will be paid for any vulnerability that does not meet all the eligibility requirements of this policy. The following is a non-exclusive list of vulnerabilities which are not eligible for reward under this Program:
- UI and UX bugs and spelling or localization mistakes
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Vulnerabilities in third-party applications
- Publicly accessible login panels without proof of exploitation
- Reports that state that software is out of date/vulnerable without a proof of concept
- Host header issues without proof-of-concept demonstrating the vulnerability
- HTTP codes/pages or other HTTP non-codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking/UI Redressing and bugs that require unlikely user interaction or phishing
- Missing HTTP security headers
- Missing Secure/HTTPOnly flags on non-sensitive Cookies
- Password and account recovery policies, such as reset link expiration or password complexity
- CSRF in forms that are available to anonymous users (e.g. the contact form)
- Login & Logout CSRF
- Open redirects with low security impact
- Presence of application or web browser “autocomplete” or “save password” functionality
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site
- Content injection issues
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Vulnerabilities that cannot be used to exploit other users
- Reflected File Download (RFD)
-
Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (e.g. mx records, SPF, DKIM and DMARC records, etc.)
- Server configuration issues (e.g., open ports, TLS, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Issues that require physical access to a victim’s computer
- Physical or social engineering attempts (this includes phishing attacks against employees)
- Recently disclosed zero-day vulnerabilities
- Microsites with little to no user data
- Most brute-forcing issues
- Denial of service
- Spamming
- Cross-site Scripting (XSS) - Reflected
- Cross-site Scripting (XSS) - DOM
- Plain-text authentication via HTTP
- User Enumeration
- Open Redirect
- Weak Password Recovery Mechanism for Forgotten Password
- File and Directory Information Exposure
- Information Exposure Through Debug Information
- Session fixation
- No rate limit vulnerabilities
GOOD REPORTS
A good report under this policy would normally include the following:
- Summary: Your report should start with a brief summary introducing the reader to your finding.
- Vulnerability Description: This section describes all the details related to your finding. Make the technical points clear and explain what causes the issue.
-
Proof of Concept: Report with a Proof-of-Concept code
will allow us to assess your submission more quickly and accurately. The
Proof-of-Concept section should contain:
- request and response (BurpSuite, OwaspZap) with both positive and negative scenarios to examine its durability and document the results;
- screenshots with product's vulnerable functionality; and
- a video describing potential vulnerability exploitation.
- Mitigation: You can link to the relevant OWASP Prevention cheat sheet or other security documents.
BAD REPORTS
The following reports are most likely to be dismissed or not eligible for reward.
- Most best-practices-based reports will be dismissed.
- Reports that are not directly related to the in-scope systems will most likely be dismissed.
- Reports that are plain copy-paste from automated scanners with no thought behind how to exploit the findings will most likely have a low or no bounty awarded.
- Purely theoretical issues with no proof of real-life impact.
FEEDBACK
If you have any questions, suggestions, or feedback, please contact us at [email protected]
Thank you for helping us keep airSlate and our users safe.