#Program Overview We appreciate your efforts and hard work in making the internet (and Flexport) more secure, and look forward to working with the researcher community to create a meaningful and successful vulnerability disclosure program. Good luck and happy hunting!

Response Targets

Flexport will make a best effort to meet the following SLAs for hackers participating in our program:

Objective

To state explicitly the submissions and report types that will be out of scope and not considered for rewards. This disclosure program is limited to security vulnerabilities in web applications owned by Flexport. This program does not provide bounty or monetary rewards for bug submissions.

Ratings/Rewards:

It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Flexport not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to [email protected] before submitting.

##Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.
• You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.

##In Scope Targets

• *.flexport.com
• *.transmissionapp.com
• *.deliverr.com
• *.convoy.com

Please DO NOT sign up or create any test accounts on any application which allows self registration. Any vulnerability which requires a user account would be considered out of scope.

###Access: All targets are publicly accessible. Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.

#Out of Scope

• Any vulnerability which requires self-registration (for example: https://developers.flexport.com/s/forums). This is to avoid spamming of our public forums.
• Not applicable -- non reproducible security vulnerability or explicitly out-of-scope per our guidelines.
• Credential re-usage from public dumps.
• Vulnerabilities whose primary security impact is focused on Phishing.
• UUID enumeration of any kind.
• Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Flexport account exists.
• Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
• Reports that state that software is out of date/vulnerable without a proof-of-concept.
• Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores.
• Stack traces, path disclosure, and directory listings.
• Best practice concerns.
• Highly speculative reports about theoretical damage -- please always provide a proof-of-concept.
• Vulnerabilities that cannot be used to exploit other users or Flexport -- e.g. self-xss or having a user paste JavaScript into the browser console.
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
• Reports from automated web vulnerability scanners (Tenable, Qualys, etc.) that have not been validated.
• Distributed denial of service attacks (DDOS).
• Physical or social engineering attempts (this includes phishing attacks against Flexport employees).
• Content injection issues.
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Missing cookie flags on non-authentication cookies.
• Issues that require physical access to a victim’s computer/device.
• SSL/TLS scan reports (this means output from sites such as SSL Labs).
• Banner grabbing issues (figuring out what web server we use, etc.).
• Open ports without an accompanying proof-of-concept demonstrating vulnerability.
• Entering the Flexport offices as a potential vendor, interviewee, or family/friend overhearing conversations and then attempting to extort