Shadowfax Security Vulnerability Disclosure Policy

Last updated: 2024-01-21

Thank you for your interest in helping us improve the security of our services. We welcome responsible disclosure of potential security vulnerabilities in our web applications and infrastructure.

Scope

This policy covers the following domains:

• In-scope:
• workspaces.shadowfaxdata.com
• shadowfaxdata.com
• Exclusions:
• Missing any best security practice that is not a vulnerability
• Self XSS
• Username or email address enumeration
• Email bombing
• HTML injection
• XSS vulnerabilities on sandbox or user-content domains
• Unvalidated or open redirects or tabnabbing
• Clickjacking in unauthenticated pages or in pages with no significant state-changing action
• Logout or unauthenticated CSRF
• Missing cookie flags on non-sensitive cookies
• Missing security headers that do not lead directly to a vulnerability
• Unvalidated findings from automated tools or scans
• "Back" button that keeps working after logout
• Issues that do not affect the latest version of modern browsers or platforms
• Attacks that require physical access to a user device
• Social engineering
• Hosting malware/arbitrary content and causing downloads
• Use of a known-vulnerable library (without evidence of exploitability)
• Low-impact descriptive error pages and information disclosures without any sensitive information
• Invalid or missing SPF/DKIM/DMARC/BIMI records
• Password and account policies, such as (but not limited to) reset link expiration or password complexity
• CSV injection
• Broken link hijacking
• Phishing risk via Unicode/Punycode or RTLO issues
• Missing rate limitations on endpoints (without any security concerns)
• Presence of EXIF information in file uploads
• Ability to upload/download executables
• Bypassing pricing/paid feature restrictions
• 0-day vulnerabilities in any third parties we use within 10 days of their disclosure
• Any other issues determined to be of low or negligible security impact
• Issues that do not affect the latest version of applications, modern browsers, or platforms
• Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
• Usage of known vulnerable components without actual working exploit
• Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
• Applications running as SYSTEM user
• Features to execute queries, scripts, or workflows by privileged users
• Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
• Security concerns applicable only with rooted/jailbroken devices

Reporting Vulnerabilities

To report a potential vulnerability, please follow these steps:

1. Responsible Disclosure:
• Do not disclose the vulnerability publicly or to third parties until it has been acknowledged and addressed by us.
• Provide us with sufficient information to reproduce the issue, including steps to reproduce, screenshots, and any relevant logs or data.
• Be respectful and professional in your communication.
• During your security bug research, if you have any inadvertent access to our or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify us of any Unauthorized Information you accessed. Upon notifying us of such access, delete all Unauthorized Information from your systems or devices.
• You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
• You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
• You are prohibited from performing Distributed Denial of Service (DDoS) testing or any activities that could potentially lead to service degradation, disruption, or outage. Engaging in such actions constitutes a violation of our program policy and may result in legal consequences.
2. Contact:
• You can report vulnerabilities through our email at [email protected].
3. Confidentiality:
• We will treat your report with confidentiality and will not disclose your identity to anyone without your prior consent, unless required by law.
• We will make reasonable efforts to acknowledge and address the reported vulnerability within a reasonable timeframe.

Rewards Program

We may offer a reward up to $1,000 for certain vulnerabilities.

Bounty Tiers

We reward vulnerabilities based on their potential impact and severity. The following are our bounty tiers:

• Low-severity: Up to $50
• Medium-severity: Up to $200
• High-severity: Up to $500
• Critical-severity: Up to $1,000

Limitation of Liability

To the extent permitted by applicable law, we exclude all liability for any loss or damage (including indirect, special, or consequential loss or damage) arising from or in connection with your participation in this vulnerability disclosure program, including but not limited to:

• Any loss or damage to your computer system or data
• Any loss or damage arising from your use of any information provided by us
• Any loss or damage arising from any unauthorized access to or disclosure of your information

Disclaimer

This policy is subject to change without notice. By reporting a vulnerability, you agree to be bound by the terms of this policy.

Contact

If you have any questions or concerns regarding this policy, please contact us at [email protected].

Thank you for your help in making our services more secure.