Introduction
At Vendasta, security and privacy is our top priority. We welcome any contributions from external security researchers to help us ensure that our customers can feel that their data is safe and secure with Vendasta. If you have found a security issue in one of our suite of products, we encourage you to submit a report through our program.
Response Targets
Vendasta will make a best effort to meet the following SLOs for hackers participating in our program:
| Type of Response | SLO in business days |
|---|
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
Program Rules
Update 02/10/2024: We are finding the testing of web chat components and lead capture forms on our website to be overly disruptive to our sales team. Any testing of the web chat component or any signup form as well as all testing on our marketing domain https://vendasta.com or https://www.vendasta.com is strictly out of scope
- All research must be conducted using your own Vendasta instance which you can sign up for here. You must use your "wearehackerone.com" email address Researcher accounts are subject to deletion after a 60 day period of inactivity.
- When signing up for an account on yesware.com, please include "HackerOne" in your username.
- Include the HackerOne- string within the User-Agent header of all network requests while testing.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you. We will not honor any issues which result from testing our customers.
All accounts are created as free accounts, please limit your testing to the number of accounts that are provided for free by Vendasta. Vendasta will notify you ahead of time of any costs that might be incurred, and you will be responsible for these costs Do not send emails from our platform aside from a small number to test functionality.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- HTML injection in email messages or chat windows
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Issues related to software or protocols not under Vendasta control
- Exposure of a login panel or service without any demonstrable attack scenario or exploitable vulnerability
- Missing best practices unless real-world impact is adequately demonstrated
- Issues identified by automated tools or scans
- Social engineering (including phishing) of Vendasta staff or contractors
- Static resources / public information "exposed" in storage buckets.
- Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
- Partner Registration APIs or forms.
- User JWTs, we are in process of moving to opaque tokens
- Debugging endpoints(domain.com/debug/pprof/), we use pprof for debugging go microservices and they come up and down.
- Disclosure of Wordpress usernames or IDs
About our customers’ privacy and how we handle the GDPR
Customer data protection and privacy is of utmost importance at Vendasta and as such, whenever Personally Identifiable Information (PII) data is encountered during testing, we expect and require any and all persons involved to handle that data with utmost care. Showing or proving the existence of a flaw does likely not require any data dumps - so even if possible, no dumping of PII data is allowed. This is not negotiable.
Any exfiltrated PII data must immediately be deleted and any testing that might result in further PII being revealed must be halted. Do not store PII data. PII data samples, if needed in the report, should be properly obfuscated before posting. This includes submitting reports that contain your own data. In the case where PII data is posted in a report, we will redact that information as soon as possible. If after the redaction the report is unintelligible, it will not be processed.
Please do note that email addresses, phone numbers as well as pictures of our staff which is available on our public websites does not count as a data leak.
The Lawyers Made Us Put This Here
You must comply with all applicable Federal, State/Provincial, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
Vendasta does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Vendasta and our users safe!
