logo

Plumsail Bug Bounty

Objective: The Plumsail Bug Bounty Program aims to encourage security researchers, developers, and ethical hackers to identify and report potential security vulnerabilities in our platform. Our goal is to enhance the security of Plumsail by partnering with the security community.

Program scope: The Bug Bounty Program covers security vulnerabilities in Plumsail's web applications, APIs, and related infrastructure. Vulnerabilities that could impact the confidentiality, integrity, or availability of user data or the Plumsail platform are eligible for this program.

Eligibility

  • The Bug Bounty Program is open to individual security researchers and professionals.
  • Participants must comply with all applicable local, state, and national laws.
  • Employees of Plumsail, its subsidiaries, and family members of employees are not eligible to participate in this program.

Submission Guidelines

  • Submissions must include a detailed report of the vulnerability, steps to reproduce, and potential impact. Clear and concise explanations are necessary for a valid submission.
  • Provide a working proof of concept to demonstrate the vulnerability.
  • When a finding involves accessing another user's or tenant's data, demonstrate it using test accounts you control — do not access real users' data.
  • Do NOT publicly disclose the vulnerability until it has been resolved and you have received explicit permission from Plumsail.
  • In cases of duplicate reports, we will reward only the first reproducible report.
  • We will consider vulnerabilities stemming from the same root cause as a single issue and award only one bounty.
  • Only submit vulnerabilities that are your original work. Avoid submitting duplicates of previously reported vulnerabilities.

Out of Scope Vulnerabilities

The list below outlines common cases that fall out of the program’s scope, but does not limit them.

A report must demonstrate concrete security impact — unauthorized access to another user's or tenant's data or account, privilege escalation across a trust boundary, or code execution. Behavior that looks risky but does not cross a privilege, tenant, or authentication boundary is out of scope. In particular:

  • Issues that affect only your own account, team, or data — including actions within your own authenticated session that do not cross into another user's account or tenant
  • Stored XSS or script/HTML execution that runs only in content you author within your own account or tenant (self-XSS); cross-tenant execution is in scope
  • Race conditions or business-logic issues that produce only duplicate or inconsistent records within your own account; accessing paid features without payment is a billing matter unless it exposes another tenant's data
  • User or account enumeration
  • Information disclosure or reconnaissance that does not demonstrate exposure of sensitive data
  • Reports against products or features Plumsail does not offer
  • Findings related to intended functionality or accepted business risks
  • Issues related to social engineering attacks
  • Vulnerabilities in third-party services or software not owned by Plumsail, and any findings on out-of-scope hosts (listed below)
  • Vulnerabilities that can only be reproduced by tampering with your own client (e.g., replaying or modifying your own requests or responses, or reading your own browser storage), or that require control of the victim’s device or session
  • Denial of Service (DoS) attacks and reports related to the rate limits
  • Issues that require physical access to the victim’s device
  • Reports from automated tools or scans that do not demonstrate a specific vulnerability
  • Perceived excessive volumes of sent email (e.g., mail flooding)
  • Data breaches or credential dumps.
  • Contact/partner form
  • Vulnerable libraries without a working proof-of-concept
  • Clickjacking and Tabnabbing
  • Absent or misconfigured HTTP headers
  • Missing best-practice or not critical bugs that do not pose a direct/immediate risk to our company or our users (e.g., missing certificate authority authorization, bypassing IP-based restrictions, etc.)
  • CSRF for log-in, log-out, and sign-up pages
  • Cross-site scripting that requires the full control of an HTTP header, such as Referer, Host, etc.

In Scope

Main website

Actions/Forms/Documents products

HelpDesk product

Out of scope hosts

The following hosts are explicitly out of scope:

  • beta.plumsail.com
  • community.plumsail.com

Reward Guidelines

The reward for a valid vulnerability is up to $500, depending on the severity, impact, and quality of the report. Not all valid reports receive a monetary reward; all reward decisions are made at Plumsail's sole discretion.

In most cases, we will only reward the following types of vulnerabilities:

  • Arbitrary code execution and OS Command Injection
  • Stored Cross-Site Scripting (Stored XSS)
  • SQL injection
  • Authentication bypass and privilege escalation (authentication / authorization circumvention)
  • Significant Sensitive Data Exposure
  • Critical Business Logic Flaws

The Plumsail security team determines the reward amount based on the severity of the vulnerability, the quality of the report, and the impact on our platform.

Important Note: Not all submissions will result in a reward. If another researcher has already reported the vulnerability or was identified by our security team, it will not qualify for a reward. Additionally, the review process may take some time, depending on the complexity of the issue and the volume of submissions.

Process

  1. Submit your report by emailing security@plumsail.com.
  2. Please ensure that your vulnerability report includes a specific use case to help our team better understand and assess the issue.
  3. You will receive an acknowledgment of your submission within 48 hours.
  4. Our security team will validate the vulnerability, assess its impact, and review the specific use case. The review process will last up to 30 days.
  5. Once validated, we will work to resolve the issue as quickly as possible. You will be updated on the status throughout the process.
  6. After the vulnerability is resolved, any reward, if applicable, will be issued within 30 days.

Legal Safe Harbor

We will not pursue legal action against researchers who:

  • Adhere to the program rules and guidelines.
  • Make a good faith effort to avoid privacy violations, disruption of services, and destruction of data.
  • Provide us with sufficient time to resolve the issue before disclosing it publicly.

Program Terms

  • Plumsail reserves the right to modify the terms of this program or discontinue it at any time without notice.
  • All decisions regarding the program, including reward eligibility and amount, are final and at the discretion of the Plumsail security team.
  • We kindly ask all participants to act professionally and communicate respectfully at all times. Constructive, courteous interaction is essential for maintaining a positive and productive environment. Any form of aggressive, inappropriate, or unprofessional behavior may result in disqualification from the program.

Contact Information: For any questions or clarifications about the Bug Bounty Program, please contact security@plumsail.com.