Introduction
If you believe you've discovered a security vulnerability within a Beamery product, service, or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers do not make any such information public.
In return Beamery will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you:
• Comply with the policies set forth herein
• Comply with our Standard Disclosure Terms
• Do not compromise the safety or privacy of our user
• Destroy any sensitive data you might have gathered from Beamery as part of your research once issues are resolved
• Agree to and comply with Beamery’s Confidentiality terms below.
Rules of engagement
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward.
• Only submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Please refrain from using any brute-forcing or dynamic scanning tools that will cause harm to Beamery. DoS and brute-forcing our endpoints are out of scope.
• Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof-of-concept.
Exclusions
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Attempting to compromise our endpoints by brute force.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version_.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
• Tabnabbing.
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction or that hinges on a user’s device being compromised first.
• Excessive exfiltration or downloading of Beamery data, or demanding payment in return for the destruction of such data, will be considered outside of the scope of this program, and Beamery will reserve all of its rights, remedies, and actions to protect itself and its users.
Bounty Reward
If your vulnerability report affects a product or service within scope, you may receive a bounty award. Beamery retains sole discretion in determining which submissions are qualified for a bounty reward.
Confidentiality
By engaging or participating in and/or submitting a security vulnerability to Beamery, you agree to comply with the following confidentiality provisions.
“Confidential Information” means (i) all Beamery information obtained during security testing or via your participation in the Beamery Vulnerability Disclosure Program, (ii) all submissions by you. You are not granted any rights in Beamery’s Confidential Information or intellectual property by engaging in any testing or participating in Beamery’s Vulnerability Disclosure Program.
Confidential Information does not include information that (i) is or becomes publicly available through no fault of your own and without breaching these provisions, (ii) is independently developed without use of or reference to Confidential Information, or (iii) is or becomes known by you from a source not bound by confidentiality restrictions.
Before engaging in any testing or submitting findings you agree (i) to hold Confidential Information in strict confidence, (ii) to protect such Confidential Information from unauthorized use or disclosure, (iii) to not disclose such Confidential Information to any third party including the public, (iv) to not use such Confidential Information for any purpose outside the scope of participating in Beamery’s Vulnerability Disclosure Program, and (v) to notify Beamery immediately upon discovery of any loss or unauthorized disclosure of Confidential Information. Notwithstanding the foregoing, you may disclose Beamery’s Confidential Information to Beamery by emailing us at [email protected].