#Have you discovered a security issue with Gusto.com or another Gusto property?
Please report to [email protected] immediately with a detailed description of the issue and the steps to reproduce it. Include a supplementary video recording if you can. We are committed to addressing security issues in a timely manner and will pay a bug bounty for your responsible disclosure. If you’d like a PGP key to encrypt your message, please email us and request one. For authenticated scans and tests, please apply for the test accounts. Also there is demo account already can be used ( https://app.gusto-demo.com/demo_account ).
#In-Scope Properties:
All content on any website, web application, or platform listed below (collectively, the “Properties”) qualifies for the Program:
- gusto.com
www.gusto.com- link.gusto.com
- *.gusto-demo.com
www.gusto-demo.com- link.gusto-demo.com
- api.gusto-demo.com
- app.gusto-demo.com
- manage.gusto-demo.com
- hippo.gusto-demo.com
#Out-of-Scope Properties:
The sites, applications, platforms, and other properties listed below are out of scope and will not qualify for the Program. Please DO NOT test them:
- *.gusto.com (Except for gusto.com,
www.gusto.com, and link.gusto.com, which are in-scope properties, as listed above)
- api.gusto.com
- app.gusto.com
- manage.gusto.com
(This is a production environment that will file irreversible forms to various government agencies and potentially move money to
and from various bank accounts.
Please use https://manage.gusto-demo.com instead, which is our sandboxed environment.)
- hippo.gusto.com
#Non-Qualifying Vulnerabilities:
Depending on their impact, some reported vulnerabilities may not qualify for a reward. Although we do review each Vulnerability Report individually to determine whether a vulnerability is a Qualifying Vulnerability, below are some vulnerabilities that are unlikely to be Qualifying Vulnerabilities and are hence unlikely to earn a reward:
- Best practices concerns
- Clickjacking on pages with no sensitive actions
- Content injection issues
- Cross-site request forgery (CSRF) with minimal security implications (logout CSRF, etc.)
- CSV injection
- Flaws affecting the users of End of Life browsers and plugins
- Fraud issues (while we welcome you to submit reports on fraud issues, we do not offer Rewards for them at this time)
- Invite/promo code enumeration
- Issues relating to Password Policy
- Legitimate content proxying and framing
- Missing autocomplete attributes
- Missing cookie flags on non-security-sensitive cookies
- Missing security headers that do not pose an immediate security vulnerability
- Non-technical vulnerabilities, such as the physical security of Gusto’s offices
- Open ports without including a proof-of-concept demonstrating the vulnerability
- Open redirects (provided, however, that we do ask that you submit reports on open redirects with high security impacts, such as stealing oauth tokens)
- Presence of banner or version information (provided, however, that if you believe that outdated software poses a legitimate security risk, please do report it to us)
- Recently disclosed zero-day vulnerabilities - please wait four weeks before reporting these types of issues
- Reflected file download (RFD)
- Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Stack traces that disclose information
- Vulnerabilities as reported by automated tools without further analysis as to how they pose a risk to Gusto
- Vulnerabilities reported through a broker
- Vulnerabilities requiring physical access to a victim’s computer
- Window.opener-related issues
