Details

At TeamSnap, we take security seriously. You should see our office bouncers. They will throw down. Kidding aside, in addition to our internal security testing and fixes, we enjoy working with the security community to find vulnerabilities to keep our businesses and customers safe.

What We Ask (aka The Program Rules)

Please provide detailed reports with reproducible steps. If the report is not complete enough to reproduce the issue, it may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received—provided that it is reproducible.
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Provide us with enough detail (screenshots, walkthrough steps, et cetera) to reproduce the issue.
Give us time to fix the issue before riding through the streets at high noon announcing it to the world, or tweeting it to your 10,000 followers. The time needed varies based on the issue. For example, iOS release cycles are much longer than fixes on the web. But rest assured, once we know a problem exists, we are on the case.
Do not access/manipulate/delete data you do not usually have permission to access. We are very committed to our users' data and experience. We would hate to have an unintentional glitch in the system result in someone messing with our users' accounts. Live by the Golden Rule: Do not be a jerk. Seriously though, attempts like these will be reported.
Do not ask for payment; we do not offer cash payouts for disclosure. Also, you are not a turtle-necked villain from an early 90s cyberpunk movie.
As this is a private program, please do not discuss this program or any vulnerabilities outside of the program. If you desire to share your work outside the program, you will need express, written consent from TeamSnap.
Follow HackerOne's disclosure guidelines.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks that require MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without modifying HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, et cetera)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than two stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors).
Tabnabbing
Open redirect without a demonstrated additional security impact
Issues that require unlikely user interaction

What to expect from TeamSnap

We review incoming issues on a weekly basis
If we have questions, we’ll follow up with you on your report
We do not offer awards, so please do not ask/beg. This is simply an organized and safe way for the public to responsible disclose security issues to our team
We will not publicly disclose any issues reported to us (unless they want to disclose issues at some point)

Safe Harbor

If you have played by the spirit and letter of this page, we pledge not to take legal action against you, cancel your TeamSnap accounts, send our bouncers Bubba and Larry after you, or do anything else to limit your access to TeamSnap. However, if you have not complied, we reserve the right to pursue legal action or other appropriate remedies. Seriously though, if you do right by us, we will do right by you. We do not want to get the legal system involved, and neither do you. OK? OK!

If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your operations were conducted in compliance with this policy.

Thank you for helping keep TeamSnap, and our users, safe!

What We Ask (aka The Program Rules)

Please provide detailed reports with reproducible steps. If the report is not complete enough to reproduce the issue, it may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received—provided that it is reproducible.

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Provide us with enough detail (screenshots, walkthrough steps, et cetera) to reproduce the issue.

Give us time to fix the issue before riding through the streets at high noon announcing it to the world, or tweeting it to your 10,000 followers. The time needed varies based on the issue. For example, iOS release cycles are much longer than fixes on the web. But rest assured, once we know a problem exists, we are on the case.

Do not access/manipulate/delete data you do not usually have permission to access. We are very committed to our users' data and experience. We would hate to have an unintentional glitch in the system result in someone messing with our users' accounts. Live by the Golden Rule: Do not be a jerk. Seriously though, attempts like these will be reported.

Do not ask for payment; we do not offer cash payouts for disclosure. Also, you are not a turtle-necked villain from an early 90s cyberpunk movie.

As this is a private program, please do not discuss this program or any vulnerabilities outside of the program. If you desire to share your work outside the program, you will need express, written consent from TeamSnap.

Follow HackerOne's disclosure guidelines.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are out of scope:

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks that require MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without modifying HTML/CSS

Rate limiting or brute force issues on non-authentication endpoints

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, et cetera)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than two stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors).

Tabnabbing

Open redirect without a demonstrated additional security impact

Issues that require unlikely user interaction

What to expect from TeamSnap

We review incoming issues on a weekly basis

If we have questions, we’ll follow up with you on your report

We do not offer awards, so please do not ask/beg. This is simply an organized and safe way for the public to responsible disclose security issues to our team

We will not publicly disclose any issues reported to us (unless they want to disclose issues at some point)

Safe Harbor

Thank you for helping keep TeamSnap, and our users, safe!