đŁď¸ Contact [email protected] if you have any questions or want to inform the engineering team of any upcoming activity.
Domains
None, all Salesroom owned domains are within scope unless they point to another service. e.g. Blog, Status Page.
Guidelines
All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.
Practice responsible disclosure. That's a responsibility to users, not us. We strive to live up to the other end of this by resolving bugs in a timely manner.
If you sign up for a Salesroom account for vulnerability testing, please include "BugBounty" somewhere in your email address. (For example, you could use Gmailâs task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.
If you include any secrets or confidential information in your report, partially mask it, as far as possible, so you can still convey the severity of your findings without accidentally leaking information.
Issues
The following issues are outside the scope of the Salesroom Vulnerability Disclosure program.
Best practices concerns (we require evidence of a security vulnerability)
Sessions not being invalidated when 2FA is enabled
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Race conditions that don't compromise the security of any user or Salesroom
Reports about theoretical damage without a real risk
Missing security headers not related to a security vulnerability
Also, specifically, any missing security headers on salesroom.com and www.salesroom.com
Missing CAA or DNSSec not related to a security vulnerability
The output of automated scanners without explanation
Denial of Service or brute force attacks unless they expose confidential data, including but not limited to...
Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service, etc)
Executing brute force attempts to enumerate users beyond a proof of concept.
Any kind of DDoS attacks.
Any kind of rate limit, service limit, timing abuse or DoS, DDoS attacks unless the attack expose an abuse of functionality, data exfiltration or other similar abuse beyond service unavailability.
Spamming forms through automated vulnerability scanners are explicitly out of scope.
Performing actions that may negatively affect Salesroom or its users (e.g. spam, brute force, denial of service...)
Publicly released bugs in internet software.
Spam or social engineering techniques conducted on any Salesroom employee, vendor or contractor, account management or service desk, including but not limited to...
SPF and DKIM issues
Content injection
Hyperlink injection in emails
IDN homograph attacks
RTL Ambiguity
Violating any laws or breaching any agreements to discover vulnerabilities.
Accessing, or attempting to access, data or information that does not belong to you.
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
Conducting any kind of physical or electronic attack on Salesroom personnel, property, data centers, corporate offices, employee personal assets or any other physical assessment of Salesroom or itâs employees security.
Any physical attempts against Salesroom property or data centers.
Attacks requiring physical access to a userâs device or vulnerabilities requiring physical access to the victimâs unlocked device.
Hosting malware/arbitrary content on Salesroom and causing downloads.
XSS on any site other than those owned and operated by Salesroom Inc.
Hyperlink injection attacks in emails sent by the Salesroom platform using just plain text.
Hypothetical SSRF attacks without evidence of a PoC exposure to internal network resources.
Uploaded images being accessible after deletion due to CDN caching mechanisms
Linking a verified email/password account to a Google, Microsoft or other external sign in mechanism without reconfirming password.