Eventbrite

##Introduction## At Eventbrite, we deeply value the safety and security of our users. We go through great lengths to ensure that our systems are built and maintained to the highest standards, but also recognize that no computer system is without flaws. To that extent, Eventbrite wishes to recognize the contribution of public security reporters who take interest in Eventbrite security and helping further protect its user, customers, and employees by responsibly disclosing any security vulnerabilities they find through this program.

##Test Account Usage## To test your work, please [Sign Up] (https://www.eventbrite.com/signup) for a test account and be sure to include +hackerone in your email address when signing up (e.g. [email protected])

Researchers not following the+hackerone rule will not be eligible for rewards under this program.

##Rules## You, the responsible security researcher, will only be considered eligible for this program provided you:

• Only test against accounts which you create
• Properly name your test accounts for Eventbrite's logging, diagnostic, and cleanup purposes.
• Follow the reporting rules
• Are 18 years old or older.
• Are not an individual on the OFAC Sanctions List and not an individual in countries on the sanctions list.
• Allow a reasonable amount of time for Eventbrite to respond and remediate to your vulnerability report before publishing the vulnerability details.

Eventbrite reserves the right to modify the rules of this program or deem any submission invalid at any time, for any reason, and without notification. Eventbrite may cancel this Security Research Program at anytime without notice.

##Program Scope## The scope of this security research program is limited to:

• *.eventbrite.com
• www.eventbriteapi.com

##Vulnerabilities## The Eventbrite Security Team has complete and final authority over which vulnerabilities are eligible for inclusion in the Program and any applicable rewards. Typically, Eventbrite will only reward vulnerability classes listed below:

• Remote Code Execution
• SQL Injection
• Privilege Escalation (from unauthenticated user to authenticated user, escalation to Admin)
• Authentication bypasses
• Authorization issues (access to other's event details, etc).
• Cross-Site Request Forgery
• Cross-Site Scripting (Limited)
• Broken Authentication and Session Management (Restricted)
• Open Redirects
• Insecure Direct Object References

##Known Issues## The following list of vulnerabilities have already been reported to our Security team, reviewed, and deemed out of scope for the purposes of this program. Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be closed as Not Applicable

• Missing or misconfigured X-Frame-Options headers.
• Javascript / XSS which fires when interacting with the Rich Text Editor.
• HTML Injection -- In most cases, it is expected product behavior to allow a subset of HTML to be displayed.
• Missing HttpOnly cookie attribute on non-sensitive cookies
• Missing Secure cookie attribute on non-sensitive cookies
• Logout CSRF
• Password reset page sends multiple emails if requested multiple times.
• Username Enumeration
• Issues with SPF, DKIM, or DMARC records on eventbrite.com
• BEAST Vulnerabilities
• Vulnerabilities found by an automated scanner. Please take the time to manually verify your findings before reporting them.

##Known False Positives

• POODLE Vulnerability via the POODLE Scan Tool. Eventbrite servers are fully patched against CVE-2014-3566.

##Ineligible Vulnerability Classes## Eventbrite does not consider the following to be eligible vulnerabilities under this program:

• Denial of Service
• Social Engineering exploits against customers or Eventbrite administrators.
• Self-Inflicted XSS or any XSS attack that requires MITM presence to alter HTTP headers
• Brute Forcing Passwords and Password Reset Token Guessing
• Mass Account Registration
• Missing Strict-Transport-Security Headers
• Use of http://
• Non-conformance with Security Best Practices.
• Mobile application issues that depend on being rooted/jailbroken.

##Rewards## Eventbrite currently offers Public Acknowledgement on our Eventbrite Security Wall of Fame

##Legal Indemnification ## Eventbrite will not pursue legal action against security researchers who follow the program rules outlined in this document and responsibly disclose vulnerabilities to us.

Non-Secure Cookies

• AN
• G
• SERVERID
• SP
• SS
• csrftoken
• eblang
• mgemail
• mglts
• mgref
• mgrefby
• __ut*
• gpv_p8
• km_*
• kvcd
• mp_*
• s_cc
• s_sq
• sid