Vulnerability Disclosure Program (VDP)

Scope

This policy applies to security vulnerabilities found in Billingbooth-owned systems and applications, including our main application, REST API, signup service, and marketing website. Please do not test third-party services or infrastructure that we use but do not own.

Out-of-scope activities

Billingbooth considers the following activities either potentially harmful to the platform, or not helpful in securing our specific environment or applications:

• Social engineering, including phishing
• Network DoS/DDoS
• Brute-force attacks
• Physical attacks
• Anything that modifies or destroys data

Out-of-scope vulnerability types

Billingbooth considers the following vulnerability classes as out of scope:

• Missing web security headers
• Phishing-enablement-related issues, e.g. tabnabbing
• Email server misconfiguration issues (SPF, DKIM, DMARC)
• No CSRF on logout button
• Lack of CSP security header and X-frame bypass
• Security-related cookie flags
• Wide SSL certificate scope
• Weak SSL ciphers / Insufficient TLS versions enabled
• Email template injection
• Results from automated tooling
• Broken links or redirects
• Internal IP address disclosure
• Minor infrastructure detail disclosure without significant impact
• Verbose error messages without significant impact
• Insecure HTTP request methods
• Issues related to unsupported browser versions
• Issues related to robots.txt

Safe harbour

Provided you're conducting vulnerability research in line with the terms set out here, we consider this research to be:

• Authorised in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar applicable laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy.
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our terms of use or other relevant terms and conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at [email protected] for clarification before proceeding.

Terms of service

• Do not cause harm to Billingbooth, its customers, shareholders, partners, or employees.
• Do not engage in any act that may cause an outage or stop any of Billingbooth's services.
• Do not engage in illegal activities, and ensure compliance with all applicable national, international, federal, state, and local laws and regulations.
• All activities performed must comply with the Billingbooth terms of use, or any other relevant Billingbooth terms.

Reward policy

Billingbooth does not offer compensation for vulnerability disclosures. However, all efforts to help make Billingbooth more secure are greatly appreciated, especially high quality or high impact submissions.

Report quality

If you would like to submit a vulnerability report that Billingbooth is likely to assess as high quality, please consider including the following in your submission:

• A thorough description of the issue, with clear and concise steps to reproduce.
• A detailed summary of the impact of the vulnerability.
• Clear proof of reliable reproduction of the vulnerability, such as screenshots, screen recordings, and so on.