Security Disclosure Policy
Last updated: July 26, 2022
ShootProof is committed to ensuring the security of our users’ data by protecting their information from unwarranted disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research authorized, we will work with you to understand and resolve the issue quickly, and will not recommend nor pursue legal action related to your research.
Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- You do not intentionally compromise the privacy or safety of ShootProof personnel, users, or any third parties.
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any ShootProof, ShootProof personnel or entities, users, or any third parties.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, sensitive personal information such as financial information or health information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Scope
This disclosure policy applies only to vulnerabilities in ShootProof products and services under the following conditions:
- Only vulnerabilities which are original, previously unreported, and not already discovered by internal procedures are in scope.
- Only domains which have a security.txt file under /.well-known are in scope.
Domains in scope:
- https://studio.shootproof.com
- https://client.shootproof.com
- https://api.shootproof.com
- https://www.shootproof.com
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document listed above. If there is a system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
Topics Out of scope:
The following security issues are currently not in scope:
- Reports from automated tools or scans
- Denial of Service (DoS) attacks
- Reports indicating that our services do not fully align with “best practice” and do not lead directly to a vulnerability e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc), “weak” ciphersuite support, or suboptimal email related configuration (SPF, DMARC etc)
- Missing secure flags on Cookies that do not directly lead to a vulnerability
- Login/logout/unauthenticated/low-impact CSRF
- Spam
- Attacks requiring Man-in-the-Middle or physical access to the victim’s device
- Social engineering, phishing, or other fraud
- User and project enumeration/path disclosure unless an additional impact can be demonstrated
- Reports where an attacker can validate a guess (for example an API route returning different status codes depending on if a private path exists or not) will not be accepted
- Reports where an attacker can only disclose the ID of a private element will not be accepted
- Vulnerabilities on third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
- Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
- Self-XSS
Reporting a vulnerability
If you have discovered an issue which you believe is an in-scope security vulnerability, please email security@foreground.co including:
- The website or page in which the vulnerability exists.
- A brief description of the class (e.g. “Stored XSS vulnerability”) of the vulnerability. If your report contains sensitive material, then please use our public PGP key to establish an encrypted communication. The key is located at https://www.shootproof.com/pgp-key.txt
In accordance with industry convention, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately while also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes. Please ensure that you do not send your proof of exploit in the initial, plaintext email if the vulnerability is still exploitable. Please also ensure that all proof of exploits are in accordance with our guidance (below), if you are in any doubt, please email security@foreground.co for advice.
Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it.
What to expect
In response to your initial email to security@foreground.co you will receive an acknowledgement reply email from the ShootProof Security Team, this is usually within 2 weeks of receiving your report. If you would like to encrypt communications with our security team, please use our PGP key located at: https://www.shootproof.com/pgp-key.txt.
Following the initial contact, our Security Team will triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope, or is a duplicate report. From this point, necessary remediation work will be assigned to the appropriate ShootProof teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate. You’re welcome to inquire on the status of the process but please limit this to no more than once every 14 days – this helps our Security team focus on the reports as much as possible.
Our Security Team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately.
What we ask
Security researchers must not:
- Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability);
- Violate the privacy of ShootProof’s users, employees, contractors, systems, etc.; for example by sharing, redistributing and/or not properly securing data retrieved from our systems or services;
- Modify data in our systems/services which is not your own;
- Disrupt our service(s) and/or systems
At any stage, if you are unsure whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications): security@foreground.co.
Rewards and Acknowledgements
ShootProof does not offer monetary rewards for vulnerability reports.
ShootProof does not publish a “Wall of Honor” or other public acknowledgement at this time; however, private and academic acknowledgements are available on a case-by-case basis.
Eligibility for Participation
You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you are currently an employee of ShootProof or any of its subsidiaries. Reports from former employees, immediate family of current employees, or other associates of ShootProof that may present a conflict of interest of the goals of the program will be more thoroughly reviewed and may not qualify for this program at ShootProof’s discretion.
Questions
Questions regarding this policy may be sent to security@foreground.co. We also invite you to contact us with suggestions for improving this policy.