#Brand Promise
ProductBoard looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
#Scope
This policy applies to any digital assets, owned, operated, or maintained by ProductBoard, Inc., including public facing websites.
Please check out especially our recently released features.
#Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Vulnerabilities without a well-documented attack vector (e.g. only missing best practices)
- Denial of service or Distributed Denial of service attacks
- Absence of rate limiting
- Permission issues in Portals and Legacy boards.
- HTML and Markdown injection in Productboard Editor and Comments
- Presence/absence/misconfiguration of SPF/DKIM/DMARC records or any email misconfiguration in general
- Lack of CSRF tokens
- Clickjacking issues
- Missing security headers which do not lead directly to a vulnerability
- Reports from automated tools or scans
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
- Outdated software without any noteworthy vulnerability
- Password reset token, account activation or invitation token leaks to third party services
- EXIF metadata issues
- Jira Service Desk is open to public
- Using features from higher plans and other licensing issues
#Disclosure Policies
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
#Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep ProductBoard, Inc. and our users safe!
