Details

Responsible Disclosure

Salsify looks forward to working with the security community to find vulnerabilities in order to keep our business and customer data safe.

Please read this entire policy before performing any security testing.

Bug Bounty Payments

Our disclosure program does not offer bug bounty payments.

In Scope Assets

Note: Only findings relating to these domains will be treated as valid.

app.salsify.com
api.salsify.com

Response Targets

We will make best efforts to meet the following SLA for Hackers participating in our program.

First Response = 14 Days
Time To Triage = 30 Days
Time To Resolution = Dependent On Severity

We'll try to keep you informed about our progress throughout the process.

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities, even resolved ones, outside of the program without express written consent from Salsify.
Follow the Program Rules outlined below.

Program Rules

Please provide detailed reports with reproductive steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we will only triage the first report that was received (provided it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out Of Scope Vulnerabilities

When reporting vulnerabilities, please consider:

Attack scenarios
Exploitability
Security Impact

The following types of issues are considered out of scope:

CSP configuration.
X-Frame configuration.
Clickjacking on pages with no sensitive data, including those referencing 'demo' in the URI.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Attacks requiring MITM or physical access to a users device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) Injection without demonstrating a vulnerability.
Missing best practice in SSL/TLS configuration.
Any Activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.
Rate limiting or brute force issues on non-authenticated endpoints.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
Vulnerabilities only affecting users of outdated or unpatched browsers.
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing.
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Reporting

If you believe your finding meets the requirements of a valid report for an in-scope asset, please use the following template to ensure you include the following sections in your report:

Report Template

TITLE

SUMMARY

[add a summary of the vulnerability]

IMPACT

STEPS TO REPRODUCE (POC)

[add the specific steps to reproduce the vulnerability]

[add step]
[add step]
[add step]
[… etc]

REFERENCE MATERIAL

ATTACHMENTS / SCREENSHOTS

SUGGESTED FIX (optional)

CONTACT

[include your email address]

Email your report to: [email protected]

Policy Valid Date

This policy is valid as of July 1st 2021

Program Rules

Please provide detailed reports with reproductive steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we will only triage the first report that was received (provided it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out Of Scope Vulnerabilities

When reporting vulnerabilities, please consider:

Attack scenarios

Exploitability

Security Impact

The following types of issues are considered out of scope:

CSP configuration.

X-Frame configuration.

Clickjacking on pages with no sensitive data, including those referencing 'demo' in the URI.

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

Attacks requiring MITM or physical access to a users device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) Injection without demonstrating a vulnerability.

Missing best practice in SSL/TLS configuration.

Any Activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.

Rate limiting or brute force issues on non-authenticated endpoints.

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies.

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).

Vulnerabilities only affecting users of outdated or unpatched browsers.

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Tabnabbing.

Open redirect - unless an additional security impact can be demonstrated

Issues that require unlikely user interaction.

Safe Harbor