Last updated: June 8th, 2021
1. Policy
At 7shifts we believe in leveraging the skills of security researchers around the globe to identify weaknesses in our technology. If you believe you’ve found a security issue in our services, we encourage you to notify us.
We administer bounties through a private HackerOne program.
2. Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
4. Scope
- Domains
- app.7shifts.com
- api.7shifts.com (app.7shifts.com/api)
- files.7shifts.com
- gql.7shifts.com
5. Out of Scope & Exclusions
The following items are out-of-scope and are not covered under our bounty program:
- All other domains and subdomains not listed in scope above
- XSS & CSRF on any domain other than app.7shifts.com
- Denial of Service (DDoS)
- DMARC / SPF Records on 7shifts.com
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
6. Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep 7shifts and our users safe!
7. Reporting
Please email security@7shifts.com with your findings. You’ll receive an automated response from HackerOne with instructions to complete your findings report, which 7shifts can then act upon.