If you're a security researcher and you believe you've discovered a security-related issue with UsabilityHub’s online systems, we appreciate your help in disclosing the issue to us responsibly.
Security is core to our values, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this policy;
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Official channel for reporting vulnerabilities
Please email firstname.lastname@example.org to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress.
Please refrain from submitting your report or inquiring about its status through additional channels, as this unnecessarily binds resources in the security team.
When reporting vulnerabilities you must communicate all information via email. Do not post information to video-sharing or pastebin sites.
Expected handle times
UsabilityHub will endeavor to meet the following timelines for researchers participating in our vulnerability disclosure program:
- Time to first response (from report submit) - 1 business day
- Time to triage (from report submit) - 5 business days, depending on the current report volume and severity. An estimated time to triage will be included in the first response.
- Time to bounty (from triage) - between 5 and 90 business days. A bounty is awarded at the latest after a fix has been released, which depends on the severity of a finding.
How severity and rewards are determined
UsabilityHub reserves the right to make a final decision regarding the severity and bounty for all reported findings. Reward amounts vary depending upon the reach, difficulty to exploit, and impact of the vulnerability reported. We classify vulnerabilites according to the following guidelines:
- Critical ($1000 - $3000). Issues that present a direct and immediate risk to a high percentage of our users or to UsabilityHub itself. For example: arbitrary code execution on our production network, SQL injection in our production database, bypassing the login process, arbitrary access to sensitive production data.
- High ($500 - $750). Issues that allow an attacker to read or modify highly sensitive data that they are not authorized to access. More narrow in scope than critical issues. For example: discovering sensitive data in a publicly exposed resource, gaining access to a non-critical resource that only UsabilityHub employees should have access to.
- Medium ($150 - $300). Issues that allow an attacker to read or modify limited amounts of data that is less sensitive. For example: bypassing CSRF validation for low risk actions, injecting attacker controlled content (XSS) but not bypassing CSP or executing sensitive actions with another user's session.
- Low ($0 - $150). Issues that may violate expectations about how something is intended to work, but allow nearly no escalation of privilege or ability to trigger unintended behavior.
How rewards are paid
All rewards are paid in USD. At this time, we are only able to pay rewards via PayPal. In order to receive a reward, you'll need to have a PayPal account and be able to receive payments from Australia.
We require a valid invoice in order to be able to issue rewards. Once issues that have been deemed eligible for a reward are verified as fixed, we will send through the necessary details for you to include on the invoice for payment.
Performing your research
- Do not impact other users with your testing. If you are attempting to find an authorization bypass, you must use accounts you own.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Never attempt to perform denial of service or other volumetric attacks.
- Do not use scanners, scrapers or any other automated tools in your testing.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will not accept or reward any of the following types of attacks:
- Denial of service attacks
- Phishing attacks
- Social engineering attacks
- Issues requiring direct access to UsabilityHub systems or target user hardware
- Issues requiring exceedingly unlikely user interaction
- CSP weaknesses
- Missing CSP (without an exploit that takes advantage of this)
- DMARC, SPF and DKIM email policy
- CSRF without any security impact
- Software version disclosure
- Use of known-vulnerable software
- Publicly accessible login panels
- Email enumeration
- Email spoofing
- Lack of email address confirmation on signup
- Vulnerabilities caused by out-dated browsers
- Absence of DNSSEC and CAA records
- Password complexity policies
- Choice of TLS ciphers
We're also unable to offer a reward for vulnerabilities found in third party software or platforms we use (for example, Webflow or Metabase), unless the vulnerability results from a misconfiguration by us.
We ask that researchers refrain from disclosing their findings publicly until we have had time to address the vulnerability as per our expected handle times.