Bug Bounty Out of Scope List
Last Updated Oct 27, 2021
Contact [email protected] if you have any questions or want to inform the engineering team of any upcoming activity.
None, all Salesroom owned domains are within scope unless they point to another service. e.g. Blog, Status Page.
The following issues are outside the scope of the Salesroom Vulnerability Disclosure program.
- Denial of Service or brute force attacks unless they expose confidential data, including but not limited to...
- Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service, etc)
- Executing brute force attempts to enumerate users beyond a proof of concept.
- Any kind of DDoS attacks.
- Any kind of rate limit, service limit, timing abuse or DoS, DDoS attacks unless the attack expose an abuse of functionality, data exfiltration or other similar abuse beyond service unavailability.
- Spamming forms through automated vulnerability are explicitly out of scope.
- Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service...)
- Publicly released bugs in internet software.
- Spam or social engineering techniques conducted on any Salesroom employee, vendor or contractor, account management or service desk, including but not limited to...
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Violating any laws or breaching any agreements to discover vulnerabilities.
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Conducting any kind of physical or electronic attack on Salesroom personnel, property, data centers, corporate offices, employee personal assets or any other physical assessment of Salesroom or it’s employees security.
- Any physical attempts against Salesroom property or data centers.
- Attacks requiring physical access to a user’s device or vulnerabilities requiring physical access to the victim’s unlocked device.
- Hosting malware/arbitrary content on Salesroom and causing downloads.
- XSS on any site other than those owned and operated by Salesroom Inc.