MURAL
Boost team collaboration and innovation with Mural, the AI-powered visual workspace. Plan, strategize, and execute projects seamlessly on one intuitive tool.
External Program
Submit bugs directly to this organization
MURAL
Boost team collaboration and innovation with Mural, the AI-powered visual workspace. Plan, strategize, and execute projects seamlessly on one intuitive tool.
External Program
Submit bugs directly to this organization
No technology is perfect, and MURAL believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
While researching, we'd like to ask you to refrain from:
The following elements are unlikely to be eligible for a bounty:
Severity Guidelines All submissions will be rated by MURAL only using the following criteria. MURAL will not accept a rated submission. If that occurs we may re-rate or dismiss that submission. Critical: Critical severity issues present a direct and immediate risk to a broad array of our users or to MURAL itself. arbitrary code/command execution on a MURAL server in our production network. arbitrary SQL queries on the MURAL production database. bypassing the MURAL login process, either password or 2FA. access to sensitive production user data or access to internal production systems.
High: High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. injecting attacker controlled content into MURAL.com (XSS) which bypasses CSP. bypassing authorization logic to grant a repository collaborator more access than intended. discovering sensitive user or MURAL data in a publicly exposed resource, such as an S3 bucket. gaining access to a non-critical resource that only MURAL employees should be able to reach. code execution in a desktop app that requires no user interaction.
Medium: Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. disclosing the title of issues in private repositories which should be inaccessible. injecting attacker controlled content into MURAL.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session. bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list. Low: Low severity issues allow an attacker to access extremely limited amounts of data. signing up arbitrary users for access to an "early access feature" without their consent. creating an issue comment that bypasses our image proxying filter by providing a malformed URL. bypassing community-and-safety features such as locked conversations. triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information. triggering application exceptions that could affect many MURAL users.
This is a Response Basic program and therefore we will not be rewarding bounties on the HackerOne platform. However, If your report has been triaged and validated then we will pay you only via PayPal (we will require your PayPal account). If you do not have a PayPal account we can offer an Amazon gift card instead, for the same amount. Please find our reward program below:
Thank you and keep MURAL safe!