Vulnerability disclosure policy

Updated: April 2nd, 2021

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program.

Please avoid automated testing and only perform security testing with your own data.

Please do not disclose any information regarding the vulnerabilities until we fix them.

Rewards are done at our discretion depending on the criticality of the vulnerability reported.

How to report a security vulnerability?

You can report vulnerabilities by contacting security@bearer.sh. Please include a proof of concept.

We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage

my.bearer.sh and vulnerabilities discovered into Bearer Broker.

Exclusions

  • www.bearer.com
  • docs.bearer.com
  • status.bearer.com
  • support.bearer.com

Accepted vulnerabilities are the following

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

This bug bounty program does NOT include

  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing/text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user’s machine