Publitas is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

In-Scope security Vulnerabilities:

1. SQL Injection
2. Insecure direct Object references
3. Remote command execution
4. Authentication bypass
5. User enumeration attacks
6. Application logic flaws
7. DNS misconfigurations
8. XXE

Out-of-Scope:

1. XSS in Publitas catalog viewer (We are aware of existing XSS in our catalog viewer. Users can create a catalog and customise the viewer behaviour including injecting code in the buttons and hotspots CTA. Submissions and Report Quality)
2. CSRF
3. Running automated scanners
4. Using emails from public db dumps for user enumeration attacks
5. Abusing contact forms
6. Email settings SPF/DMARC/DKIM
7. Security headers (e.g X-FRAME-Options)
8. BruteForce attacks
9. Sending bulk emails

Submissions and Report Quality

High quality Submissions allow our team to better understand the issue and relay the bug to the internal team to fix. The best reports provide enough actionable information to verify and validate the issue without any follow up clarifying questions.

• Check the scope page before you begin writing your report to ensure the issue you are reporting is in scope for the program.
• Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue (include screenshots if possible).
• Please include your understanding of the security impact of the issue. Our acceptance criteria is directly tied to security impact, so the more detail you can provide, the better.
• In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
• Video only proof-of-concepts (PoCs) will not be considered.
• A vulnerability must be verifiable and reproducible for us to be considered in-scope.
• In case of duplicate submissions, we will consider/reward the researcher who reported it first.

Confidentiality

Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.

In-Scope domains:

• integration1-app.publitas.com
• integration1-view.publitas.com
• integration1-api.publitas.com
• env-publitas-publitas.kinsta.cloud

Integration1* env is an exact replica of our production system which is dedicated for security testing. Any testing done on production/live env will not be eligible for submission/bounty.

We believe in recognising the work of others. If your work helps us improve the security of our service, we'd be happy to acknowledge your contribution in our Hall of Fame and consider a reward based on the business value of the reported issue.