Skip to main content
All CollectionsPolicies & SecuritySecurity
Bug Bounty Out of Scope List
Bug Bounty Out of Scope List

The following issues are outside the scope of the Salesroom Vulnerability Disclosure program.

Daria avatar
Written by Daria
Updated over a year ago

🗣️ Contact [email protected] if you have any questions or want to inform the engineering team of any upcoming activity.

Domains

None, all Salesroom owned domains are within scope unless they point to another service. e.g. Blog, Status Page.

Guidelines

  • All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.

  • Practice responsible disclosure. That's a responsibility to users, not us. We strive to live up to the other end of this by resolving bugs in a timely manner.

  • If you sign up for a Salesroom account for vulnerability testing, please include "BugBounty" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.

  • If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.

Issues

The following issues are outside the scope of the Salesroom Vulnerability Disclosure program.

  • Best practices concerns (we require evidence of a security vulnerability)

  • Sessions not being invalidated when 2FA is enabled

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Race conditions that don't compromise the security of any user or Salesroom

  • Reports about theoretical damage without a real risk

  • Missing security headers not related to a security vulnerability

    • Also, specifically, any missing security headers on salesroom.com and www.salesroom.com

  • Missing CAA or DNSSec not related to a security vulnerability

  • The output of automated scanners without explanation

  • Denial of Service or brute force attacks unless they expose confidential data, including but not limited to...

    • Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service, etc)

    • Executing brute force attempts to enumerate users beyond a proof of concept.

    • Any kind of DDoS attacks.

    • Any kind of rate limit, service limit, timing abuse or DoS, DDoS attacks unless the attack expose an abuse of functionality, data exfiltration or other similar abuse beyond service unavailability.

    • Spamming forms through automated vulnerability scanners are explicitly out of scope.

  • Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service...)

  • Publicly released bugs in internet software.

  • Spam or social engineering techniques conducted on any Salesroom employee, vendor or contractor, account management or service desk, including but not limited to...

    • SPF and DKIM issues

    • Content injection

    • Hyperlink injection in emails

    • IDN homograph attacks

    • RTL Ambiguity

  • Violating any laws or breaching any agreements to discover vulnerabilities.

  • Accessing, or attempting to access, data or information that does not belong to you.

  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.

  • Conducting any kind of physical or electronic attack on Salesroom personnel, property, data centers, corporate offices, employee personal assets or any other physical assessment of Salesroom or it’s employees security.

    • Any physical attempts against Salesroom property or data centers.

  • Attacks requiring physical access to a user’s device or vulnerabilities requiring physical access to the victim’s unlocked device.

  • Hosting malware/arbitrary content on Salesroom and causing downloads.

  • XSS on any site other than those owned and operated by Salesroom Inc.

  • Hyperlink injection attacks in emails sent by the Salesroom platform using just plain text.

  • Hypothetical SSRF attacks without evidence of a PoC exposure to internal network resources.

  • Uploaded images being accessible after deletion due to CDN caching mechanisms

  • Linking a verified email/password account to a Google, Microsoft or other external sign in mechanism without reconfirming password.

Did this answer your question?