Plumsail Bug Bounty

Objective: The Plumsail Bug Bounty Program aims to encourage security researchers, developers, and ethical hackers to identify and report potential security vulnerabilities in our platform. Our goal is to enhance the security of Plumsail by partnering with the security community.

Program scope: The Bug Bounty Program covers security vulnerabilities in Plumsail's web applications, APIs, and related infrastructure. Vulnerabilities that could impact the confidentiality, integrity, or availability of user data or the Plumsail platform are eligible for this program.

Eligibility

• The Bug Bounty Program is open to individual security researchers and professionals.
• Participants must comply with all applicable local, state, and national laws.
• Employees of Plumsail, its subsidiaries, and family members of employees are not eligible to participate in this program.

Submission Guidelines

• Submissions must include a detailed report of the vulnerability, steps to reproduce, and potential impact. Clear and concise explanations are necessary for a valid submission.
• Provide a working proof of concept to demonstrate the vulnerability.
• Do NOT publicly disclose the vulnerability until it has been resolved and you have received explicit permission from Plumsail.
• Only submit vulnerabilities that are your original work. Avoid submitting duplicates of previously reported vulnerabilities.

Out of Scope Vulnerabilities

• Issues related to social engineering attacks
• Vulnerabilities in third-party services or software not owned by Plumsail
• Denial of Service (DoS) attacks
• Issues that require physical access to the victim’s device
• Reports from automated tools or scans that do not demonstrate a specific vulnerability
• Reports related to the rate limits applied to an API endpoint
• Perceived excessive volumes of sent email (e.g., mail flooding)
• Vulnerable libraries without a working proof-of-concept
• Clickjacking
• Absent or misconfigured HTTP headers
• Missing best-practice bugs that don’t pose a direct/immediate risk to our company or our users (e.g. missing certificate authority authorization)

In Scope

Main website

• plumsail.com
• *.plumsail.com - any services

Actons/Forms/Documents products

• auth.plumsail.com - webapp
• account.plumsail.com - webapp
• api.plumsail.com - api
• forms.plumsail.com - api
• *.plumsail.io - api

HelpDesk product

• helpdesk-services.plumsail.com - api
• helpdesk-installer.plumsail.com - api

Reward Guidelines

The reward for a valid vulnerability is up to $500, depending on the severity and impact of the issue. Rewards are categorized as follows:

• Critical
• High
• Medium
• Low

The Plumsail security team determines the reward amount based on the severity of the vulnerability, the quality of the report, and the impact on our platform.

Important Note: Not all submissions will result in a reward. If another researcher has already reported the vulnerability or was identified by our security team, it will not qualify for a reward. Additionally, the review process may take some time, depending on the complexity of the issue and the volume of submissions

Process

1. Submit your report via our dedicated bug bounty platform or by emailing security@plumsail.com.
2. Please ensure that your vulnerability report includes a specific use case to help our team better understand and assess the issue.
3. You will receive an acknowledgment of your submission within 48 hours.
4. Our security team will validate the vulnerability, assess its impact, and review the specific use case. The review process will last up to 30 days.
5. Once validated, we will work to resolve the issue as quickly as possible. You will be updated on the status throughout the process.
6. After the vulnerability is resolved, the reward will be issued within 30 days.

Legal Safe Harbor

We will not pursue legal action against researchers who:

• Adhere to the program rules and guidelines.
• Make a good faith effort to avoid privacy violations, disruption of services, and destruction of data.
• Provide us with sufficient time to resolve the issue before disclosing it publicly.

Program Terms

• Plumsail reserves the right to modify the terms of this program or discontinue it at any time without notice.
• All decisions regarding the program, including reward eligibility and amount, are final and at the discretion of the Plumsail security team.

Contact Information: For any questions or clarifications about the Bug Bounty Program, please contact security@plumsail.com.