Vulnerability Disclosure Program

Last updated: July 3, 2023

Welcome to the Behaviour Lab Vulnerability Disclosure Program! Should you stumble upon a potential issue, we encourage you to share it with us. Comprehensive details facilitate quicker validation and resolution, so we kindly ask you to provide as much information as possible.

Rewards

While we are unable to offer a formal, monetized bug bounty program at this time, we greatly value the work of security researchers who uncover and responsibly report vulnerabilities. In recognition of your invaluable contribution, we will individually honor each contributor within a dedicated section on this page. Your efforts significantly aid us in maintaining and enhancing the security of our platform.

Responsible Disclosure Policy

In the interest of collective security, we ask that you provide us with a reasonable time frame to address the issue before public or third-party disclosure. Please adhere to:

HackerOne's disclosure guidelines

Program Guidelines

  1. Detailed reports with replicable steps are essential. Incomplete or vague reports may not qualify for a reward.
  2. Each report should focus on a single vulnerability unless multiple vulnerabilities need to be chained to demonstrate impact.
  3. In case of duplicate issues, only the first fully reproducible report received will be rewarded.
  4. Multiple vulnerabilities stemming from a single underlying issue will receive a single bounty.
  5. Any form of social engineering, such as phishing, vishing, or smishing, is strictly forbidden.
  6. Please ensure your actions respect privacy, avoid data destruction, and do not disrupt or degrade our service. Interactions should only be with accounts you own or have explicit permission to access.
  7. Refrain from using brute-forcing or dynamic scanning tools that might harm Behaviour Lab's digital infrastructure. Any DoS or brute-force attacks on our endpoints are out of scope.

Exclusions

In your reporting, consider both the attack scenario/exploitability and the security impact of the bug. Certain issues are deemed out of scope:

  • Clickjacking on pages lacking sensitive actions
  • CSRF on unauthenticated forms or forms lacking sensitive actions
  • Attacks necessitating MITM or physical access to a user's device
  • Known vulnerable libraries without a functional Proof of Concept
  • CSV injection without a demonstrated vulnerability
  • Absence of SSL/TLS configuration best practices
  • Any activity potentially disrupting our service (DoS)
  • Content spoofing and text injection issues absent a demonstrated attack vector or HTML/CSS modification ability
  • Brute force attempts on our endpoints
  • Lack of best practices in Content Security Policy
  • Absence of HttpOnly or Secure flags on cookies
  • Incomplete email practices (e.g., Invalid, incomplete, or missing SPF/DKIM/DMARC records)
  • Vulnerabilities affecting only users of outdated or unpatched browsers [those more than two stable versions behind the latest stable release]
  • Software version disclosure, banner identification issues, or descriptive error messages/headers (e.g., stack traces, application or server errors)
  • Public zero-day vulnerabilities with an official patch less than 1 month old will be considered on a case-by-case basis
  • Tabnabbing
  • Open redirect - unless additional security impact can be demonstrated
  • Issues requiring improbable user interaction

To report a vulnerability, please submit a report to dpo@behaviourlab.com.

Acknowledgements

We would like to thank the following individuals for their contributions to our security:

  • Dipendranath Tarafder