Software Responsible Disclosure/Bug Bounty Policy
Updated: 26 Aug 2020
Data security is a top priority for Holistics, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Holistics Software’s service, please notify us; we will work with you to resolve the issue promptly.
Disclosure/Bug Bounty Policy
- If you believe you’ve discovered a potential vulnerability, please let us know by submitting a report. We will acknowledge your submission within one week.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Holistics Software service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
- Depending on the severity of the vulnerability reported, we will consider paying you to compensate for your effort.
Non Qualifying Vulnerabilities
- Login or Forgot Password page brute force and account lockout not enforced.
- Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
- Username or email address enumeration
- Email bombing
- Content spoofing/Text injection
- XSS vulnerabilities on sandbox domains, XSS (or a behavior) where you can only attack yourself (e.g. "Self XSS").
- Social engineering
- Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
- Login/Logout/Unauthenticated CSRF
- Missing cookie flags on non sensitive cookies
- Missing security headers which do not lead directly to a vulnerability
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Attacks requiring physical access to a user device
- Low impact descriptive error pages and information disclosures without any sensitive information
- Invalid or missing SPF/DMARC records
- Password and account policies, such as reset link expiration or password complexity
- Bypassing pricing/paid features restrictions
- HTTPS Mixed Content messages
- Version number information disclosure
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of Holistics Software employees or contractors
- Any attacks against Holistics Software’s physical property or data centers
Thank you for helping to keep Holistics Software and our users safe!
We may revise these guidelines from time to time. The most current version of the guidelines will be available here.