Bug Bounty Program

If you believe you've discovered a security vulnerability within a Beamery product, service, or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers do not make any such information public.

In return Beamery will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you:

• Comply with the policies set forth herein

• Comply with our Standard Disclosure Terms

• Do not compromise the safety or privacy of our user

• Destroy any sensitive data you might have gathered from Beamery as part of your research once issues are resolved

• Agree to and comply with Beamery’s Confidentiality terms below.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward.

• Only submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Please refrain from using any brute-forcing or dynamic scanning tools that will cause harm to Beamery. DoS and brute-forcing our endpoints are out of scope.

• Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof-of-concept.

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

• Clickjacking on pages with no sensitive actions.

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Attempting to compromise our endpoints by brute force.

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies.

• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).

• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version_.

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing.

• Open redirect - unless an additional security impact can be demonstrated.

• Issues that require unlikely user interaction or that hinges on a user’s device being compromised first.

• Excessive exfiltration or downloading of Beamery data, or demanding payment in return for the destruction of such data, will be considered outside of the scope of this program, and Beamery will reserve all of its rights, remedies, and actions to protect itself and its users.