Responsible Disclosure

Last updated: Oct 22nd, 2024

 

1. Policy

At 7shifts we believe in leveraging the skills of security researchers around the globe to identify weaknesses in our technology. If you believe you’ve found a security issue in our services, we encourage you to notify us.

Developing patches, upgrades, workarounds, and other mitigations to security vulnerabilities can be time consuming and complex. In order to participate in our responsible disclosure program, vulnerability finders and reporters must provide us a reasonable period of time to investigate and remediate a reported issue. To be certain that we can develop a fix before the vulnerability can be exploited and maintain the security of our service and our users’ data, you may not publicly disclose a vulnerability without our explicit consent.

We administer bounties through a private Inspectiv program.

2. Program Rules

Researchers that do not follow these rules will not be eligible for compensation for reported vulnerabilities.

1. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Reports should include, for example, screen captures, videos, proof-of-concept code, and/or reports or other output from security tools/utilities.
2. Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
3. When duplicates occur, we award only the first report that was received in compliance with these rules (provided that it can be fully reproduced).
4. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
5. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
6. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
7. You must immediately delete any data that you acquire. To the extent you access any sensitive data in the course of your research, you should do so and use such data only to the extent required to identify the vulnerability and then cease your access to the data. You may not disclose this data to any third party.
8. You may not interact with accounts that you do not own or have explicit permission from the account holder to use.
9. Try not to create multiple accounts, unless absolutely necessary, and limit up to two accounts total if multiple accounts are needed. For additional accounts, please contact us for permission first.

4. Scope

As part of our commitment to security and responsible disclosure, we encourage security researchers to participate in our bounty program. The following endpoints are considered in scope for security testing:

1. Mobile Applications
   1. 7shifts Android App
   2. 7shifts iOS App
2. API Endpoints
   1. https://oauth.7shifts.com
   2. https://login.7shifts.com/oauth2
   3. https://api.7shifts.com
   4. https://files.7shifts.com
   5. https://gql.7shifts.com
   6. https://app.7shifts.com/gql/v2
3. Web Portal
   1. https://app.7shifts.com

We appreciate the efforts of security researchers and provide rewards for reports that disclose vulnerabilities affecting these endpoints. Please ensure compliance with our guidelines while conducting security tests.

5. Out of Scope & Exclusions

The following items are out-of-scope and are not covered under our bounty program:

1. All other domains and subdomains not listed in scope above
2. Cross-site-scripting (XSS) on “app.7shifts.com”
3. Issues that require unlikely user interaction
4. Public Zero-day vulnerabilities that have had an official patch for less than 1 month
5. Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
6. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
7. Previously known vulnerable libraries without a working Proof of Concept
8. Testing using public sign-up accounts
9. Attacks which require MITM or physical access to a user’s device
10. Any 3rd party not within the domain spaces in scope, or findings from applications or systems not listed in the ‘In Scope’ section
11. Arbitrary file upload without proof/evidence of the uploaded file
12. Activity that could lead to the disruption of service (DoS / DDoS), including Rate Limiting
13. Broken Link Hijacking
14. Blind SSRF without negative impact
15. Clickjacking and Tapjacking
16. Common Vulnerabilities and Exposures “CVE”
17. CORS misconfiguration on non-sensitive endpoints or without negative impact
18. CSRF without negative impact, on forms that are available to anonymous users (e.g. the contact form), or on logout
19. CSV Injection
20. Disclosure of known public files or directories, (e.g. robots.txt)
21. Metadata not stripped from images/files
22. Functional, UI, UX bugs and spelling mistakes
23. Google Maps API Key Exposure
24. HTTP request smuggling without negative impact
25. Host Header injection without negative impact
26. Identification of outdated software
27. IP Logger Vulnerabilities
28. Lack of Secure and HTTP Only cookie flags
29. Lack of Security Speed Bump when leaving the site
30. Login or Forgot Password page brute force and account lockout not enforced
31. Mail configuration issues including SPF, DKIM, DMARC settings
32. Missing HTTP security headers
33. OPTIONS / TRACE HTTP method enabled
34. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
35. Pre-Auth account takeover – “OAuth squatting”
36. Rate limiting or brute force issues
37. Self-XSS that cannot be used against other users
38. Sending vulnerability reports using automated tools without validation
39. Session fixation
40. Social engineering (e.g. phishing, vishing, smishing) is prohibited
41. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
42. SSL attacks such as BEAST, BREACH, or Renegotiation attack; SSL forward secrecy not enabled; SSL insecure cipher suites
43. SSL certificate expired or misconfigured without negative impact
44. Subdomain takeover
45. Token expiration
46. Tokens leaked to trusted third parties without negative impact
47. Username/Email Enumeration
48. Violation of Secure Design Principle
49. Weak Captcha / Captcha Bypass
50. WordPress XMLRPC issues