Responsible Disclosure

Last updated: Oct 22nd, 2024

 

1. Policy

At 7shifts we believe in leveraging the skills of security researchers around the globe to identify weaknesses in our technology. If you believe you’ve found a security issue in our services, we encourage you to notify us.

Developing patches, upgrades, workarounds, and other mitigations to security vulnerabilities can be time consuming and complex. In order to participate in our responsible disclosure program, vulnerability finders and reporters must provide us a reasonable period of time to investigate and remediate a reported issue. To be certain that we can develop a fix before the vulnerability can be exploited and maintain the security of our service and our users’ data, you may not publicly disclose a vulnerability without our explicit consent.

We administer bounties through a private Inspectiv program.

2. Program Rules

Researchers that do not follow these rules will not be eligible for compensation for reported vulnerabilities.

  1. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Reports should include, for example, screen captures, videos, proof-of-concept code, and/or reports or other output from security tools/utilities.
  2. Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  3. When duplicates occur, we award only the first report that was received in compliance with these rules (provided that it can be fully reproduced).
  4. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  5. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  6. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  7. You must immediately delete any data that you acquire. To the extent you access any sensitive data in the course of your research, you should do so and use such data only to the extent required to identify the vulnerability and then cease your access to the data. You may not disclose this data to any third party.
  8. You may not interact with accounts that you do not own or have explicit permission from the account holder to use.
  9. Try not to create multiple accounts, unless absolutely necessary, and limit up to two accounts total if multiple accounts are needed. For additional accounts, please contact us for permission first.

3. Disclosure Policy

  1. Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  2. We will do our best to reply to your initial report within 48 hours and to update you on our progress at reasonable intervals thereafter. We ask that you provide us at least 60 days to investigate and remediate the issue before any disclosure to the public or a third-party. Notify us of your intended disclosure date.
  3. Once we decide that disclosure of a validated security vulnerability is appropriate, 7shifts will coordinate public disclosure with you. We generally prefer that our respective public disclosures be posted at the same time.

4. Scope

As part of our commitment to security and responsible disclosure, we encourage security researchers to participate in our bounty program. The following endpoints are considered in scope for security testing:

  1. Mobile Applications
    1. 7shifts Android App
    2. 7shifts iOS App
  2. API Endpoints
    1. https://oauth.7shifts.com
    2. https://login.7shifts.com/oauth2
    3. https://api.7shifts.com
    4. https://files.7shifts.com
    5. https://gql.7shifts.com
    6. https://app.7shifts.com/gql/v2
  3. Web Portal
    1. https://app.7shifts.com

We appreciate the efforts of security researchers and provide rewards for reports that disclose vulnerabilities affecting these endpoints. Please ensure compliance with our guidelines while conducting security tests.

5. Out of Scope & Exclusions

The following items are out-of-scope and are not covered under our bounty program:

  1. All other domains and subdomains not listed in scope above
  2. Cross-site-scripting (XSS) on “app.7shifts.com”
  3. Issues that require unlikely user interaction
  4. Public Zero-day vulnerabilities that have had an official patch for less than 1 month
  5. Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
  6. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  7. Previously known vulnerable libraries without a working Proof of Concept
  8. Testing using public sign-up accounts
  9. Attacks which require MITM or physical access to a user’s device
  10. Any 3rd party not within the domain spaces in scope, or findings from applications or systems not listed in the ‘In Scope’ section
  11. Arbitrary file upload without proof/evidence of the uploaded file
  12. Activity that could lead to the disruption of service (DoS / DDoS), including Rate Limiting
  13. Broken Link Hijacking
  14. Blind SSRF without negative impact
  15. Clickjacking and Tapjacking
  16. Common Vulnerabilities and Exposures “CVE”
  17. CORS misconfiguration on non-sensitive endpoints or without negative impact
  18. CSRF without negative impact, on forms that are available to anonymous users (e.g. the contact form), or on logout
  19. CSV Injection
  20. Disclosure of known public files or directories, (e.g. robots.txt)
  21. Metadata not stripped from images/files
  22. Functional, UI, UX bugs and spelling mistakes
  23. Google Maps API Key Exposure
  24. HTTP request smuggling without negative impact
  25. Host Header injection without negative impact
  26. Identification of outdated software
  27. IP Logger Vulnerabilities
  28. Lack of Secure and HTTP Only cookie flags
  29. Lack of Security Speed Bump when leaving the site
  30. Login or Forgot Password page brute force and account lockout not enforced
  31. Mail configuration issues including SPF, DKIM, DMARC settings
  32. Missing HTTP security headers
  33. OPTIONS / TRACE HTTP method enabled
  34. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  35. Pre-Auth account takeover – “OAuth squatting”
  36. Rate limiting or brute force issues
  37. Self-XSS that cannot be used against other users
  38. Sending vulnerability reports using automated tools without validation
  39. Session fixation
  40. Social engineering (e.g. phishing, vishing, smishing) is prohibited
  41. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  42. SSL attacks such as BEAST, BREACH, or Renegotiation attack; SSL forward secrecy not enabled; SSL insecure cipher suites
  43. SSL certificate expired or misconfigured without negative impact
  44. Subdomain takeover
  45. Token expiration
  46. Tokens leaked to trusted third parties without negative impact
  47. Username/Email Enumeration
  48. Violation of Secure Design Principle
  49. Weak Captcha / Captcha Bypass
  50. WordPress XMLRPC issues

6. Bounty Payments

We want to encourage security researchers and ethical hackers to report security vulnerabilities to us. If you identify a vulnerability in compliance with this Policy and we are able to verify that vulnerability, we offer monetary compensation based on the severity of the vulnerability you report. The following table illustrates the compensation we typically offer to finders/reporters:

Severity Tier 1 Tier 2 Tier 3
Critical $500 $1,000 $2,500
High $250 $500 $1,000
Medium $100 $250 $500
Low $50 $100 $200
Informational $0 $0 $0

Severity: Submissions are issued a severity rating based on user interaction, exploit-ability, required privileges, and impact. Severity level will be one of the following: Informational, Low, Medium, High, Critical.

Factors that we may take into consideration when determining the appropriate type of compensation include:

  1. the level of ongoing coordination required between 7shifts and the reporter during the validation and remediation processes;
  2. the severity of the reported vulnerability; and
  3. the level of cooperation shown by the finder with respect to providing supporting information on the vulnerability and waiting to publicly disclose the issue until 7shifts is able to develop a mitigation.

Also, we will acknowledge finders/reporters by name in our public disclosures of reported security vulnerabilities, with your consent.

7. Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep 7shifts and our users safe!

7. Reporting

Please make your submissions here: https://client.inspectiv.com/vdp/7shifts/submit-report.