Security at Olark

We sincerely thank you for your help, and will happily offer a bounty for submissions of security bugs under the following criteria:

• The bug is an application vulnerability (database injection, XSS, session hijacking, remote code execution and so forth) in our main website, the JavaScript chat box, our API, Olark Chat, or one of our other core services.
• The bug does not depend on any part of the Olark product being in a particular 3rd-party environment. In particular, we are not responsible for vulnerabilities on the sites of any of our customers that may happen to use Olark, unless those vulnerabilities might affect other Olark users or our main site.
• The bug's effects are not limited only to browser/version combinations that cannot be conceivably called modern in any way--we're looking at you, IE6/7.
• You are the original source of the bug through your own research, and you are the first person to report the particular vulnerability to us.
• You have given/are giving us a reasonable amount of time to act upon the disclosure before disclosing it to any other organization, or to the public.
• You are not a minor, nor are you on any list of people we are not legally allowed to do business with.

There are some caveats to the above. To wit:

• Please do not test our capacity, or for Denial of Service or similar exploits.
• Please do all testing on your own account, and not to any other customers. Also, please make the effort not to destroy any data/defraud anyone/set any puppies on fire. We respect the privacy and safety of the people using our service, and hope you feel the same way.
• Please do not run any automated exploit scanners without a limited scope. This generates spam for us, and is annoying, and will likely cover a lot of ground that has already been tread.
• Please submit the reproduction as plain text, or as POCs in standard image or video formats (gif, png, mp4, and similar). Submissions received in various rich text formats (docx, pdf) will be asked to resubmit in plain text.
• We reserve the right to refuse or grant awards solely at our discretion, and to modify or cancel this policy at any time with no prior notice. We'll try not to be mean about it, though.
• We leave any tax implications or legal standing in your own country to be entirely your own responsibility.
• XSS attacks that require user submission ("reflective" XSS, as opposed to "stored" XSS) are not eligible for a bounty, but can still receive recognition here and a t-shirt if the attack is novel.

How to disclose an issue

Submit your finding to [email protected] (pgp)

Please include:

• A summary of the problem
• A proof-of-concept or a stepwise breakdown
• How to identify you for attribution on this page.

We're not an Internet giant (yet!), but will happily award between $100-$300 for critical disclosures, and may award more at our discretion. We will also list you here in the Special Thanks session, send you a free awesome t-shirt, and buy you a beer (or similar beverage) if we ever run into you in person.

Please note that we are not a huge company, and all of our engineers have many responsibilities in addition to keeping our product secure. Since that is the case, there may be a lag in responses from us, and there may be some time between submission and the patching of the vulnerability. We're sorry if you bump into either of these things, but promise that we will eventually evaluate and respond to your submissions.