At Smartlook, we consider security of our product and accompanying services an utmost priority. We are dedicated to ensure that we follow both industry-recognised security standards and our internal frameworks and guidelines. That means we take any security measures very seriously and to achieve that, we need your help. Threat hunting is not always an easy task, and that's exactly why we have created this policy and issued a Vulnerability Disclosure workflow. To protect our customers, users and business partners, and make sure that bad actors are kept out of the equation.
We want researchers to feel comfortable sharing their findings and discoveries with us, therefore this guideline is intended to provide you with foundations to build on when submitting new vulnerabilities and participating in our Bug Bounty program. In the following sections, you can find an acceptable scope of testing, ways how to submit a vulnerability, rules of engagement, and simple methodology, so that our mutual cooperation is beneficial to both sides.
As long as you conduct your research in a good faith and not violate our Rules of Engagement or any other terms set out in this policy, we will take your submission into account, work on resolving the issue promptly and embrace our mutual cooperation. Should you not violate any terms stated here, Smartlook shall not pursue any legal action, press charges or demand compensation related to your research.
General research guideline
“Research” means activities, in which you:
Conduct any sort of unusual user behaviour with the end goal of discovering a loophole.
Use publicly accessible or custom-made exploits to take advantage of system misconfiguration, common vulnerabilities or 0-day vulnerability.
Perform automated scanning against our external infrastructure, tamper with our API endpoints, try to capture communication from to/from our network.
Notify us as soon as possible about an immediate or potential security issue.
Work with us on resolving the aforementioned issue and ensure that we are provided with necessary technical information.
Make sure that you do not, under any circumstances, exfiltrate, modify and delete any data, pivot to other internal systems, or maintain persistent access. Please refrain from disrupting user experience, as well as directly targeting production systems.
Do not violate any privacy laws or regulations, and if you happen to get access to any confidential data, erase everything upon submitting your report.
Do not compromise any third parties or target any of our customers.
All domains and subdomains in the scope will be listed below, as well as subsequent API endpoints and other assets. Under no circumstances should you target any assets that are out of the specified scope or any connected services from our vendors. In case you happen to discover a vulnerability in one of our vendor’s product, please proceed to contact that particular company and disclose your finding to them. If you're not sure whether some subdomain falls into the scope, contact us directly, and we will reply to you as soon as possible. We might increase the scope of our policy if we deem the asset worthy of further testing.
List of assets authorized for testing:
Rules of Engagement
Researchers must not:
Test any system, domain, or API endpoint that is out of the scope.
Engage in physical security testing, both of facilities and resources.
Engage in social engineering such as phishing, vishing or any other form.
Attempt to execute a Denial-of-Service attack that would compromise availability of our services.
Keep any sensitive information obtained during testing after the submission.
Execute exploits that might result in unavailability of our systems or cause a data leak accessible by third parties.
Target connected services from our vendors, or intercept communication between these services and Smartlook product.
Alter, delete, insert or share any data obtained during the test.
Violate privacy of customers, users, or company associates.
Introduce malicious software, botnets, or data extraction tools.
Take advantage of discovered vulnerabilities to a larger extent than necessary for a reliable proof-of-concept.
Notify us and cease testing immediately upon discovery of a vulnerability.
Provide a proof-of-concept and detailed technical information.
Erase all non-public data upon successfully reporting a vulnerability.
Reporting a vulnerability
You can find the contact e-mail address below, which may be filled anonymously, although we do not recommend the use of temporary e-mails, as that may affect our reply and proper means of communication. If you can attach your GitHub account or any personal information, we would certainly welcome that. It will make the process of remediation easier and more sustainable. Any information you provide will be encrypted, kept private and accessible only to security personnel. For that purpose, we would like to ask you for a PGP key to make sure that our communication and data exchange is fully secure.
Submission information, including report, possible remediation and technical details, will be used exclusively for defensive purposes and hardening our product. We would also like to ask you for a personal evaluation such as severity, impact and exploitability, so that we can prioritize the vulnerability accordingly and ensure that the issue will be resolved as fast as possible.
By submitting the form, you are indicating that you have read the terms stated in this policy, adhered to the provided guideline, and that we have your explicit permission to use that provided data to further enhance our product.
The total compensation for your report will be highly dependent on severity, complexity, and exploitability of the vulnerability. Your reports are always verified by our internal security team, which also weighs in on various risks associated with that vulnerability, and how major of an impact it would have in case we were attacked. We conduct frequent penetration tests and both external and internal scanning, so we are well aware of some security misconfigurations that you might find, although they may not be our utmost priority as of now. In any case, we are working hard to secure and harden our infrastructure, so we always welcome new inputs and possible remediation tips.
We also vow to reply to all reports within 72 hours and agree on a price of bounty within 1 week since the contact has been made. In case you have more reports prepared, let us know in advance, so that we can go through them individually and estimate a bounty independently for each report.
Smartlook is committed to correct discovered security issues in a timely manner and during a timeline that shall be established in cooperation with the researcher. We kindly ask you to refrain from sharing any information about the vulnerability with third parties for 90 calendar days after you have received a confirmation of the submission, as some issues are notoriously difficult to tackle and might require more manpower than we would have at our disposal. In any case, your opinion is valuable to us, and we would be more than eager to cooperate with you throughout that time period.
We would like to thank you beforehand for your submissions, reports, and cooperation! If you have any questions regarding scope or testing methods, do not hesitate to contact us at: email@example.com