Vulnerability Disclosure Program
Security of user data and communication is of utmost importance to Salesflare. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Salesflare. Principles of responsible disclosure include, but are not limited to:
- Access or expose only customer data that is your own.
- Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
- If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
- Avoid scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, etc.
- Keep within the guidelines of our Terms of Service.
- Keep details of vulnerabilities secret until Salesflare has been notified and had a reasonable amount of time to fix the vulnerability.
- In order to be eligible for a bounty, your submission must be accepted as valid by Salesflare. We use the following guidelines to determine the validity of requests and the reward compensation offered.
Scope
Out of Scope
- blog.salesflare.com
- integrations.salesflare.com
Bug submission requirements
When submitting a vulnerability or incident, please provide:
- The detailed description of the issue, the exploitability and impact
- The reproducible steps (if applicable) - our engineers must be able to reproduce the security flaw from your report.
- The Salesflare team ID that you used
All submissions must provide evidence and explanation of all steps required to reproduce the issue, which may include:
- PoC (videos, screenshots, payloads, web/API requests and responses)
- User permissions settings (when reporting escalation or abuse of privileges in a company)
- References and recommendations
Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
Severity
We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of Salesflare's systems.
Focus Areas
- Authentication or authorization flaws
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
- Sensitive data exposure
- Server-side code execution bugs
The following finding types are specifically excluded from the bounty or are already known:
- Failures to adhere to "best practices" (for example, common HTTP headers, link expiration or password policy)
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Salesflare corporate infrastructure configuration (e.g., mail service SPF records)
- Disclosure of known public files or directories, (e.g., robots.txt).
- Perceived excessive volumes of sent email (e.g., mail flooding).
- Denial of Service vulnerabilities (DoS)
- Possibilities to send malicious links to people you know
- Security bugs in third-party websites that integrate with Salesflare
- Insecure cookies on salesflare.com
- Mixed-content scripts on salesflare.com
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Spam or social engineering techniques
- Clickjacking issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
Rewards
Only 1 bounty will be awarded per high or critical vulnerability..
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
We maintain flexibility with our reward system and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. Bounties are generally between $20 and $80, but may be higher or lower.
To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Salesflare reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.
Rewards are paid through Paypal. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.
Instructions for creating a Salesflare trial portal
Anyone may create a trial portal by navigating to: https://salesflare.com.
With a trial account, it is also possible to create an API key to send API requests. More information can be found here: https://howto.salesflare.com/en/articles/1017460-do-you-have-an-api
All available functionality may be tested.
Contact
Please email us at [email protected] with any vulnerability reports or questions about the program. Please report each new bug in a separate email thread.