Vulnerability Disclosure Program

Security of user data and communication is of utmost importance to Salesflare. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Salesflare. Principles of responsible disclosure include, but are not limited to:


Scope

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Severity

We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of Salesflare's systems.

Focus Areas

The following finding types are specifically excluded from the bounty:

Rewards

Only 1 bounty will be awarded per vulnerability.

If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

We maintain flexibility with our reward system and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.

To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Salesflare reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.

Rewards are paid through Paypal or Dwolla. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.

Instructions for creating a Salesflare trial portal

Anyone may create a 14-day trial portal by navigating to: https://salesflare.com.

With a trial account, it is also possible to create an API key to send API requests. More information can be found here: https://howto.salesflare.com/en/articles/1017460-do-you-have-an-api

All available functionality may be tested.

Contact

Please email us at [email protected] with any vulnerability reports or questions about the program. Please report each new bug in a separate email thread.