Last updated: Oct 22nd, 2024
1. Policy
At 7shifts we believe in leveraging the skills of security researchers around the globe to identify weaknesses in our technology. If you believe you’ve found a security issue in our services, we encourage you to notify us.
Developing patches, upgrades, workarounds, and other mitigations to security vulnerabilities can be time consuming and complex. In order to participate in our responsible disclosure program, vulnerability finders and reporters must provide us a reasonable period of time to investigate and remediate a reported issue. To be certain that we can develop a fix before the vulnerability can be exploited and maintain the security of our service and our users’ data, you may not publicly disclose a vulnerability without our explicit consent.
We administer bounties through a private Inspectiv program.
2. Program Rules
Researchers that do not follow these rules will not be eligible for compensation for reported vulnerabilities.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Reports should include, for example, screen captures, videos, proof-of-concept code, and/or reports or other output from security tools/utilities.
- Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we award only the first report that was received in compliance with these rules (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- You must immediately delete any data that you acquire. To the extent you access any sensitive data in the course of your research, you should do so and use such data only to the extent required to identify the vulnerability and then cease your access to the data. You may not disclose this data to any third party.
- You may not interact with accounts that you do not own or have explicit permission from the account holder to use.
- Try not to create multiple accounts, unless absolutely necessary, and limit up to two accounts total if multiple accounts are needed. For additional accounts, please contact us for permission first.
4. Scope
As part of our commitment to security and responsible disclosure, we encourage security researchers to participate in our bounty program. The following endpoints are considered in scope for security testing:
- Mobile Applications
- API Endpoints
- Web Portal
We appreciate the efforts of security researchers and provide rewards for reports that disclose vulnerabilities affecting these endpoints. Please ensure compliance with our guidelines while conducting security tests.
5. Out of Scope & Exclusions
The following items are out-of-scope and are not covered under our bounty program:
- All other domains and subdomains not listed in scope above
- Cross-site-scripting (XSS) on "app.7shifts.com"
- Issues that require unlikely user interaction
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month
- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Previously known vulnerable libraries without a working Proof of Concept
- Testing using public sign-up accounts
- Attacks which require MITM or physical access to a user's device
- Any 3rd party not within the domain spaces in scope, or findings from applications or systems not listed in the ‘In Scope’ section
- Arbitrary file upload without proof/evidence of the uploaded file
- Activity that could lead to the disruption of service (DoS / DDoS), including Rate Limiting
- Broken Link Hijacking
- Blind SSRF without negative impact
- Clickjacking and Tapjacking
- Common Vulnerabilities and Exposures “CVE”
- CORS misconfiguration on non-sensitive endpoints or without negative impact
- CSRF without negative impact, on forms that are available to anonymous users (e.g. the contact form), or on logout
- CSV Injection
- Disclosure of known public files or directories, (e.g. robots.txt)
- Metadata not stripped from images/files
- Functional, UI, UX bugs and spelling mistakes
- Google Maps API Key Exposure
- HTTP request smuggling without negative impact
- Host Header injection without negative impact
- Identification of outdated software
- IP Logger Vulnerabilities
- Lack of Secure and HTTP Only cookie flags
- Lack of Security Speed Bump when leaving the site
- Login or Forgot Password page brute force and account lockout not enforced
- Mail configuration issues including SPF, DKIM, DMARC settings
- Missing HTTP security headers
- OPTIONS / TRACE HTTP method enabled
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Pre-Auth account takeover - “OAuth squatting”
- Rate limiting or brute force issues
- Self-XSS that cannot be used against other users
- Sending vulnerability reports using automated tools without validation
- Session fixation
- Social engineering (e.g. phishing, vishing, smishing) is prohibited
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- SSL attacks such as BEAST, BREACH, or Renegotiation attack; SSL forward secrecy not enabled; SSL insecure cipher suites
- SSL certificate expired or misconfigured without negative impact
- Subdomain takeover
- Token expiration
- Tokens leaked to trusted third parties without negative impact
- Username/Email Enumeration
- Violation of Secure Design Principle
- Weak Captcha / Captcha Bypass
- Wordpress XMLRPC issues
6. Bounty Payments
We want to encourage security researchers and ethical hackers to report security vulnerabilities to us. If you identify a vulnerability in compliance with this Policy and we are able to verify that vulnerability, we offer monetary compensation based on the severity of the vulnerability you report. The following table illustrates the compensation we typically offer to finders/reporters:
| Severity | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Critical | $500 | $1,000 | $2,500 |
| High | $250 | $500 | $1,000 |
| Medium | $100 | $250 | $500 |
| Low | $50 | $100 | $200 |
| Informational | $0 | $0 | $0 |
Severity: Submissions are issued a severity rating based on user interaction, exploit-ability, required privileges, and impact. Severity level will be one of the following: Informational, Low, Medium, High, Critical.
Factors that we may take into consideration when determining the appropriate type of compensation include:
- the level of ongoing coordination required between 7shifts and the reporter during the validation and remediation processes;
- the severity of the reported vulnerability; and
- the level of cooperation shown by the finder with respect to providing supporting information on the vulnerability and waiting to publicly disclose the issue until 7shifts is able to develop a mitigation.
Also, we will acknowledge finders/reporters by name in our public disclosures of reported security vulnerabilities, with your consent.
7. Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep 7shifts and our users safe!
7. Reporting
Please make your submissions here: https://client.inspectiv.com/vdp/7shifts/submit-report.