A few words
At Upflow, we recognize and embrace our responsibility to keep our customer data secure. We put a lot of time and effort into continuously reviewing and improving our secure development processes as well as the general security of our product. However, we’re conscious that some vulnerabilities may still slip into our code and that maintaining top-grade security online is a community effort.
In that context, we highly value the contribution that security researchers invest in good faith, helping us build and operate a secure platform for our customers and partners. As such, we encourage the responsible disclosure of vulnerabilities related to our application, website, and APIs.
This policy sets out the rules under which we expect the research and reporting of vulnerabilities to be conducted, as well as what you can expect from us in return.
If you are a security researcher, a user, or a partner, and have discovered a security vulnerability in our environment, we appreciate your help in disclosing it to us in a responsible manner.
Communication
If you would like to report a security issue, you may do so by sending an email addressed to [email protected].
If you think you’ve discovered a vulnerability on our platform, please do not publicly disclose any details outside of this process without explicit permission. Please do your best to include with your report the following details and be as descriptive as possible:
Vulnerability location & type - The exact location (vulnerable URLs and parameters, if possible fully qualified domain name and IP address of the endpoint) and what you believe is the nature of the vulnerability;
Steps to reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, screen recordings, and proofs-of-concept are all helpful);
Risk scenario - As far as possible, an illustration of what you believe is a relevant risk scenario explaining the prerequisites to the attack and its exact impact in a realistic context.
Ground rules
In order to avoid confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing, and reporting vulnerabilities:
Take all reasonable measures to only interact with test accounts you have created on the platform;
If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst-case scenario;
Do not engage in physical attacks, social engineering, distributed denial of service, or spam;
Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
Report any vulnerability you’ve discovered promptly (i.e. days, not weeks);
Only use the specified communication channels listed above to discuss or report vulnerability information to us;
Do not disclose vulnerabilities you've discovered publicly or to any third party until we have formally authorized you to do so in writing;
Obviously, do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our users, or partners.
Expectations
When working with us according to this Policy, you can expect us to:
Work to fix discovered vulnerabilities in a timely manner;
Handle your report with confidentiality and respect written requests for anonymity.
Legal Matters
When conducting vulnerability research in good faith and in accordance with the terms specified in this policy, we consider this research to be:
Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.
We won’t take legal action against, suspend, or terminate access to our platform for those who discover and report security vulnerabilities responsibly. Upflow Inc reserves all of its legal rights in the event of any noncompliance.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our above-mentioned communication channels before going any further.
Reward program
Upflow will provide rewards to eligible reporters of qualifying vulnerabilities, qualified at its sole discretion. Reports from researchers who failed to comply with our above-listed Ground Rules will not be considered eligible for our reward program.
A few specific rules apply to bounty hunters who wish to participate in our reward program:
If you want to create test accounts and organizations on our platform, make use as far as possible of our “pentest” environment, which is aligned, at all times, with our production environment (except for customer data), and can be accessed from https://app.pentest.upflow.eu/;
Refrain from massively creating spammy accounts on our production platform, for the sake of demonstrating you can create free accounts - yes, we purposefully maintain a free tier.
Scope of the reward program
Demonstrated vulnerabilities relevant to the following resources will be considered for a reward:
Anything not specifically listed as in-scope will not be considered as part of our reward program.
Reward grid
Reward amounts will vary depending upon the severity of the reported vulnerability. This severity will be established based on an evaluation of the potential business impact resulting from malevolent exploitation of the vulnerability. In other words, reports failing to demonstrate a tangible attack scenario and opportunity are unlikely to be rewarded.
The rating-to-CVSS score equivalence outlined in the following table for in-scope components is provided indicatively. The risk assessment is evaluated by Upflow at its sole discretion
In the event that we choose not to reward a vulnerability with no demonstrable business impact, we reserve the right to fix the issue in order to avoid further equivalent submissions by other researchers.