Details

Introduction

Faraday, Inc. looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Please see the "Out of scope" section - there are important exclusions.

Response targets

Faraday, Inc. will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response: 2 business days
Time to triage: 2 business days
Time to bounty: 1 business day

We'll try to keep you informed about our progress throughout the process.

Disclosure policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's https://www.hackerone.com/disclosure-guidelines

Program rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Test plan

https://app.faraday.ai/signup

This will mostly give you access to the API (https://api.faraday.ai), but it will also give you a window into our web app (https://app.faraday.ai).

Our test priorities are:

Nobody can break in
No cross-account leakage
We aren't leaving sensitive data publically accessible

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Faraday, Inc..

In scope

Anything listed "In scope" below
BigQuery
Malicious action by authenticated users
CSRF/XSS
Content spoofing and text injection issues with showing an attack vector/with being able to modify HTML/CSS
Open redirect if an additional security impact can be demonstrated
Clickjacking on pages with sensitive actions
Previously known vulnerable libraries with a working Proof of Concept.
Uploaded file injection with demonstrating a vulnerability

Out of scope

These are OUT OF SCOPE:

The fact that https://vault2.faraday.ai is open to the world (no IP allowlist)
Any vulnerability that requires a properly authorized user's credentials or secrets. In other words, if the first step of your attack is to be logged into a target account, then it's unlikely to be considered in scope.
Bypassing account limits e.g. ability to create many Connections if you send requests all at once (this is effectively DOS)
The fact that you can invite or remove anybody you want to an account. Do not report this.
The fact that API keys are shared among all users on an account.
The fact that API keys are included in GraphQL responses.
Denial of Service (DOS)
Don't schedule a demo on https://faraday.ai. It is extremely distracting to our sales team.
Non-secret tokens on https://app.faraday.ai/api/environment.js. Do not report this.
Modifying what is "enabled" on the frontend in order to see "hidden" consoles on the UI - this is by design. Authoritative access control happens at the API layer.
https://faraday.atlassian.net/servicedesk/customer/user/signup - this is not associated with Faraday
Our public website https://faraday.ai
Rate limiting or bruteforce issues on non-authenticated endpoints
Rollbar (ff5ae6124c8b4a77ae60503f62f8f213) and Intercom (1pdrkobe) tokens found in our JS.
Attacks requiring MITM or physical access to a user's device.
Missing best practices in SSL/TLS configuration.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep Faraday, Inc. and our users safe!

Copyright

Program rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Test plan

This will mostly give you access to the API (https://api.faraday.ai), but it will also give you a window into our web app (https://app.faraday.ai).

Our test priorities are:

Nobody can break in

No cross-account leakage

We aren't leaving sensitive data publically accessible

In scope

Anything listed "In scope" below

BigQuery

Malicious action by authenticated users

CSRF/XSS

Content spoofing and text injection issues with showing an attack vector/with being able to modify HTML/CSS

Open redirect if an additional security impact can be demonstrated

Clickjacking on pages with sensitive actions

Previously known vulnerable libraries with a working Proof of Concept.

Uploaded file injection with demonstrating a vulnerability

Out of scope

These are OUT OF SCOPE:

The fact that https://vault2.faraday.ai is open to the world (no IP allowlist)

Any vulnerability that requires a properly authorized user's credentials or secrets. In other words, if the first step of your attack is to be logged into a target account, then it's unlikely to be considered in scope.

Bypassing account limits e.g. ability to create many Connections if you send requests all at once (this is effectively DOS)

The fact that you can invite or remove anybody you want to an account. Do not report this.

The fact that API keys are shared among all users on an account.

The fact that API keys are included in GraphQL responses.

Denial of Service (DOS)

Don't schedule a demo on https://faraday.ai. It is extremely distracting to our sales team.

Non-secret tokens on https://app.faraday.ai/api/environment.js. Do not report this.

Modifying what is "enabled" on the frontend in order to see "hidden" consoles on the UI - this is by design. Authoritative access control happens at the API layer.

https://faraday.atlassian.net/servicedesk/customer/user/signup - this is not associated with Faraday

Our public website https://faraday.ai

Rate limiting or bruteforce issues on non-authenticated endpoints

Rollbar (ff5ae6124c8b4a77ae60503f62f8f213) and Intercom (1pdrkobe) tokens found in our JS.

Attacks requiring MITM or physical access to a user's device.

Missing best practices in SSL/TLS configuration.

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Tabnabbing

Safe Harbor