Compass Bug Bounty Policy

Compass is committed to protecting the data that drives our marketplace. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, or other assets owned by Compass that are in scope, we appreciate your help in disclosing the issue to us responsibly.

Our Pledge To You

We are committed to working with you to verify and address any potential vulnerabilities that are reported to us. We follow the Gold Standard Safe Harbor.

To report a security issue or vulnerability, please include a detailed description of the issue, how it was discovered, and steps we can take to reproduce what you have observed. A member of the HackerOne Triage Team will review your submission, and we will pay a bounty upon confirmation of validity and severity.

Compass will do its best to provide an updated list of known vulnerabilities to the HackerOne triage team. However, Compass maintains the right to consider any vulnerability submitted by researchers a duplicate report, whether or not it has been reported to HackerOne. This generally occurs when an issue has been previously identified from an internal process outside of HackerOne.

Scope

All assets not listed as in scope on our Scope page are out-of-scope. We may consider out-of-scope submissions, however, they are assessed on a case-by-case basis. We reserve the right to reduce severity for out-of-scope submissions.

Out of scope vulnerabilities

In addition to H1’s Core Ineligible Findings, the following issues are considered out of scope:

• Any vulnerabilities for our agent-marketing sites on Squarespace/Wiz/etc.
• Github Wiki pages
• Public/exposed google calendars
• https://www.compass.com/notifications/emails/*
• Agent PII Data. Agent information such as Names, Emails, Phone, Addresses are all intended to be public. Even if their profiles are set to "private"
• Iorad links
• Attacks requiring MITM or physical access to a user's device.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Out of scope for Mobile

The following vulnerability types will be closed as Not Applicable:

• Physical access to the device Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, that depends on debug access being enabled, or that depends on a vulnerability in the operating system.
• Mobile application biometrics bypass
• Lack of mobile binary protection or SSL pinning
• Lack of mobile application encryption
• Issues that can only be exploited on an emulated device

Do not use any of the following methods, as they are prohibited:

• Take any actions that will affect the integrity or availability of our systems. If you notice performance interruption or degradation, immediately suspend all use of automated tools.
• Denial of service attacks
• Phishing or spear phishing
• Social engineering
• Physical attacks against our data centers or property (including servers or networks)

Response Timeline

Compass will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 5 business days
• Time to triage (from report submit) - 10 business days
• Time to bounty (from triage) - 5 business days

We peer review reports once a week unless it's a Critical or High. Please be patient with submissions. We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Express consent from Compass is required to discuss the program or any vulnerabilities (even resolved ones) outside the program. You can request to disclose a vulnerability in HackerOne’s platform
• Follow HackerOne's disclosure guidelines.

Some principles to keep in mind

As you conduct your research we ask that you make a good faith effort to protect the privacy of our users and their data. To that end, please:

• Valid reports need to be reproducible, have impact, and generally need to be able to be improved. Things like showing vulnerable versions for dependencies are not valid submissions by themselves without proving the vulnerability actually exists.
• Stop and notify us immediately if you encounter any sensitive information or Personally Identifiable Information (PII) outside the scope of your test accounts or intended authorization.
• Only view information to the extent required to identify the vulnerability and report the vulnerability directly to us.
• Refrain from saving and/or sharing information.
• Provide sufficient information, in English, so that we can replicate the vulnerability. Failure to provide steps to reproduce and a working PoC may result in your report being ineligible for bounty.
• Only interact with accounts you own or have permission to access. Feel free to create your own accounts for testing purposes.
• To the extent you access any confidential or proprietary information of Compass, any personally identifiable information, or any information that is not accessible through publicly available channels, you agree to keep any such information in strict confidence and not to disclose to any third parties.

Test Plan

Please only test on the accounts you own. To do this, you can self-register an account with your @wearehackerone.com email account. Please see this article on HackerOne to learn about your wearehackerone.com email alias.

When registering an account, please be aware that only Buyer/Seller accounts have the ability to register their own accounts. Do not use social engineering or pose as a legitimate real-estate agent in order to create an Agent account.

Web traffic to and from Compass properties produces terabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world.

Please include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. Please see the following table as an example of what headers we are expecting.

| Identifier | Format | Example | | ------------- | ------------- | ------------- | ------------- | | Your Username | X-Bug-Bounty: HackerOne-<username> | X-Bug-Bounty: HackerOne-otr |

Testing Tips

The following tips may help save you time when testing:

• There are roughly three classes of accounts on compass.com: Consumer(Buyer/Seller), Agent, and Staff
• personIDs are not considered secret
• Do not test any functionality that may create support tickets or require support staff to respond.
• Do not test any functionality that may email or notify an Agent. For example, do not attempt to "work with an Agent".
• Manual testing ONLY on the search box. Do not automate or send large amounts of requests to the search functionality.
• Leaked Credentials - Our agents are our customers and not employees. While they have @compass.com email addresses, they are responsible for their own endpoint or credential handling security practices. This may make leaked credentials Informational since we do not control how our customers treat their own credentials.
• Leaked Credentials - We are only interested in employee accounts on any service, Okta accounts, agent or employee accounts on compass.com. Agent credentials on non-compass assets will not be accepted. Reminder that agents also get a @compass.com email address, but they are not employees of Compass.
• Leaked Credentials - Untested credentials dumps are not desired.
• OSINT findings - Since Compass does not control the security of agent’s personal accounts. This may lead to false positive OSINT findings such as exposed google docs, calendars, leaked credentials, and more. Please be cautious when reporting these findings as there is a high likelihood it is not a Staff member and therefore out of scope. Do not touch, or tamper, with customer data.
• OSINT findings - Compass employs some OS intel tooling of our own, so common or public dumps may already have been found and not be eligible for payout.
• Subdomain takeovers - requires proof of takeover. Showing that it might be possible is insufficient since in many cases there are additional controls you might not be aware of.
• Collections - it is expected that users invited to a collection can remove anyone from the collection.
• Collections - it is expected that users invited to a collection can remove listings.
• Collections - it is expected that a user can invite a user to a collection without invitation.
• Certain API keys (such as google maps) are intended to be accessible to the end client. The only submissions which will be accepted have to show both how a key can be abused and how handling of the client key can be improved.
• Vulnerabilities on other Compass properties - Reminder that real-estate agents can use our branding. If you find a vulnerability on an agent website, it will not be accepted since Compass does not own or operate agent assets.

#Thank you for helping keep Compass and our users safe!