###BookFresh is now Square Appointments
We are no longer accepting signups for new accounts at bookfresh.com. We will continue to accept vulnerability reports, and will thank reporters for valid submissions. However, we will no longer be paying bounties for new submissions. Please submit any vulnerabilities to the main Square Bug Bounty program. Thank you for your interest in Square security.
###Disclosure and scope exclusions
Important: if you have already opened a report for Bookfresh under the Square Bug Bounty, there is no need to reopen the issue here.
Bookfresh recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:
- Share with us the full details of any problem found.
- Do not disclose the issue to others until we’ve had reasonable time to address it.
- Do not intentionally harm the experience or usefulness of the service to others.
- Never attempt to view, modify, or damage data belonging to others.
- Do not attempt a denial-of-service attack.
- Do not perform any research or testing in violation of law.
###Attributes of a good report
- Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.
- Quality not quantity. Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary.
- Provide us with a concrete attack scenario. How will the problem impact Bookfresh or our customers? Put the problem into context.
###Ineligible reports and false positives
- Issues related to software not under Bookfresh's control
- Reports from automated tools or scans
- Social engineering of Bookfresh staff or contractors
- Any physical attempts against Bookfresh property or data centers
- Logout CSRF
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Missing http security headers (unless you deliver a proof of concept that leverages their absence)
- Clickjacking on widgets intended to be embedded in other pages
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
