Security - Responsible Disclosure Program

JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

Responsible Disclosure Policy
Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party.

Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Please refrain from using any brute-forcing or dynamic scanning tools that will cause harm to Beamery. DoS and brute-forcing our endpoints are out of scope.

Exclusions
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Attempting to compromise our endpoints by brute forcing.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction

Terms and Conditions
By clicking 'Submit ', you agree to the Responsible disclosure guidelines as stated here and Beamery's privacy policy https://beamery.com/policy/privacy.

You're about to submit a security vulnerability/bug to Beamery. Provide as much information as possible about the potential issue you have discovered. The more information you provide, the quicker Beamery will be able to validate the issue.

Provide the attack surface of the issue *

Submitted date *

YYYY

Weakness - Select the type of the potential issue you have discovered. Can't pick just one? Select the best match or submit a separate report for each distinct weakness. *

Access Control

Cryptographic issues

Memory Corruption

Insecure connection

Other:

Please explain the weakness/Vulnerability with the appropriate CVE number where applicable *

Severity *

Low

Critical

Proof of Concept - The proof of concept is the most important part of your report submission. Clear, reproducible steps will help us validate this issue as quickly as possible. *

Title : A clear and concise title includes the type of vulnerability and the impacted asset. *

Description*What is the vulnerability? In clear steps, how do you reproduce it?Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!## Summary:[add summary of the vulnerability]## Steps To Reproduce:[add details for how we can reproduce the issue] 1. [add step] 1. [add step] 1. [add step]## Supporting Material/References:[list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] *

Impact : What security impact could an attacker achieve? *

Email : Enter your email to receive updates on the status of your submission. If you want to stay anonymous you can leave this field blank. *

Submit

Clear form

Never submit passwords through Google Forms.

This form was created inside of Beamery.

Does this form look suspicious? Report

Forms