If you believe you have found a security issue or vulnerability, please submit the report to our security team by following the guidelines below
Updated December 12, 2021Scope
If you believe you have found a security issue or vulnerability, please submit the report to our security team by following the guidelines below
In-Scope Targets
https://brightsec.com/Testing is only authorized on the targets listed as In-Scope. Any domain/property of Bright Security not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This program excludes (regardless of coverage indicated above):
- Clickjacking
- External SSRF
- Anything related to Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Brute Force attacks on our Login or Forgot Password pages
- Account lockout enforcement
- Internal IP address disclosure
- Username / Email Enumeration
- No Captcha / Weak Captcha / Captcha Bypass
- Missing HTTP security headers
- Cookie Issues
- SSL Issues
- Weak password policies (length, complexity, etc.)
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Bright Security’s platform
- Vulnerabilities that require social engineering
- WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
- Out-of-date browsers and plugins
- Vulnerabilities in 3rd party applications that do not directly affect our data or service
- Spam of any kind
- Denial of service attacks
- Issues already known by us or previously reported to us by others
- Issues that we have determined to be of acceptable risk
Submissions containing issues related to the above list of exclusions will not be eligible for reward. If you have found a vulnerability that is excluded by our program, you may still report it as part of our vulnerability disclosure program.
Act Responsibly
The rules of responsible disclosure of vulnerabilities include, but are not limited to:
- Avoid accessing, exploiting, or exposing any customer data other than your own.
- Avoid any action that may cause a degradation of our services
- Do not use any social engineering techniques
- When methods are used that do not comply with your local law and/or the above-mentioned responsibility rules, enforcement authorities will be notified
Reproducibility
Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:
- Type of vulnerability
- When applicable, include the URL
- The potential impact of the vulnerability
- Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
Definition of a Vulnerability
To be eligible for a reward, your finding must be considered valid by the Bright Security security team.
Reward
We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.
We are particularly interested in:
- Major exposures around customer data leak
- Issues that result in full compromise of a system
- Business logic bypasses resulting in significant impact
- Major operational failure (excluding Denial of Service related submissions)
Keep in mind:
- Only one bounty will be awarded per vulnerability
- If we receive multiple reports for the same vulnerability, only the first valid report will be rewarded
- Our reward system is flexible with no minimum or maximum limits
- Platform-related vulnerabilities typically have higher impact
Reporting
You can contact us via
to report any vulnerability or if you have questions about this program.
Disclosure Policy
Bright Security understands the importance of disclosure of vulnerabilities and we are happy to allow disclosure in certain instances.
Rules
- You must receive explicit permission before disclosure
- You may not discuss vulnerabilities outside the program
- Invalid reports are not eligible for disclosure
- Only resolved reports are eligible
Requesting Permission
To request permission for disclosure, you may email bugbounty@brightsec.com. Bright Security has the right to approve or deny the request.
Violation of Terms
By participating in Bright Security's bug bounty program, you are agreeing to this policy. If any of the rules of this disclosure policy are broken, Bright Security has the right to legal action against the person who violated the rules.
If any of the rules of this disclosure policy are broken, Bright Security has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Bright Security bug bounty program.
