Bug Bounty Program for PageFly

Policy

Reward

At PageFly, we are committed to the ongoing security and safety of our communityand platform. We encourage security researchers to focus their efforts on findingsecurity vulnerabilities demonstrating meaningful impact.

Our rewards are determined by the PageFly security team based on the potentialimpact of a vulnerability. Please note these are general guidelines, and rewarddecisions are up to the discretion of PageFly. Previous bounty amounts are notconsidered as a precedent for future bounty amounts.

General Program Terms

By participating in the program, you agree that you are bound by and subject tothis policy. By submitting a vulnerability or other report to us, you grant to us, oursubsidiaries and its affiliates, a perpetual, irrevocable, royalty free license to allintellectual property rights licensable by you in or related to the use of thismaterial. You agree that no third party rights are involved in your report and youhave all rights to submit such a report. We may modify the terms of this policy orterminate the policy at any time.

If you do not comply with this policy or if we determine that your participation in the program is not in good faith or could adversely impact us, our affiliates, or our business partners (or any of our or their users, employees, or contractors), we, inour sole discretion, may remove you from the program and disqualify you from receiving any reward under the program.

Program Rules and Guidelines

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• If more than one person reports the same security vulnerability, the reward will generally be given to the first person to successfully submit the report. Exceptions may be made on a case by case basis.
• Multiple vulnerabilities caused by one underlying issue may be awarded one bounty.
• Social engineering of any kind (including without limitation phishing, vishing, smishing) is prohibited.
• Do not commit privacy violations, destruction of data, or interruption or degradation of our service.
• Create test accounts or test content to avoid affecting real users.
• Do not test/exploit vulnerabilities on user accounts that you do not own or have rights to access or control.
• If you encounter PageFly user information during research, stop there and report the issue immediately via security@pagefly.io.
• Always read and adhere to community guidelines, terms of service, or privacy policies.
• If you have any questions about a particular report, please reach out via the corresponding security@pagefly.io ticket for tracking purposes.

Testing Notes

• Provide your IP address/test domain in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Scope

Vulnerabilities will be evaluated based on impact to PageFly systems and certain assets may be of higher impact.

We currently consider the following assets to be of greater interest:

• apps.pagefly.io

Disclosure and Confidentiality Policy

PageFly supports public recognition and disclosure of contributions and findings for in-scope reports closed as resolved. We will seek to allow participants to be publicly recognized whenever possible.

• Public disclosure of a vulnerability (either full or partial) is only permitted after the PageFly Team receives a Disclosure Request within the HackerOne platform and the PageFly Team agrees to disclose the report.
• Retention, copying, or disclosure of PageFly information gained as a result of participation is not permitted.
• PageFly may redact any sensitive information prior to disclosure.

If requesting beyond disclosure (e.g. in a blog or at a conference):

• Request approval before commencing a write up.
• Share your final blog edits and where the content is to be hosted with PageFly for approval.
• Do not publicly disclose information until you have explicit written consent to do so from PageFly.

Rewards

High-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information. We also ask that researchers be responsive and collaborative which helps us efficiently implement and deliver fixes in a timely manner.

The criteria used to determine reward amount, bonuses, and eligibility are solely at our discretion.

Program Exclusions

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) potential security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions or requiring multiple user interactions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating avulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS) or aviolation of the privacy of any user, employee or contractor of PageFly orany of its affiliates or business partners.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing Referrer Policy.
• Missing Subresource Integrity directives.
• Missing anti-clickjacking mechanisms.
• Missing HttpOnly, Secure, SameSite cookie attributes.
• Missing email best practices (Invalid, incomplete or missingSPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (morethan 2 stable versions behind the latest released stable version).
• Software version disclosure / Banner identification issues / Descriptive errormessages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official disclosure less than1 month before are on a case by case basis.
• Tabnabbing.
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.
• Vulnerabilities that are already known (e.g. discovered and reported by otherresearchers or by an internal team).
• Self-XSS, which includes any payload entered by the victim.

Bug Submissions Requirements

Required information For all submissions, please include:

• Full description of the vulnerability being reported, including the exploitability and impact.
• Evidence and explanation of all steps required to reproduce the submission, which may include:

• Videos or Step by step screenshots.
• Exploit code.
• Traffic logs.
• Web/API requests and responses.
• Email address or user ID of any test accounts.
• IP address used during testing.
• For RCE submissions, see below Failure to include any of the above items may delay or jeopardize the Bounty Payment.

Remote Code Execution (RCE) Submissions Guidelines

Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.

• Source IP address.
• Timestamp, including time zone.
• Full server request and responses.
• Filenames of any uploaded files, which must include “bug bounty” and thetimestamp.
• Callback IP and port, if applicable.
• Any data that was accessed, either deliberately or inadvertently.
• Allowed Actions:
  - Directly injecting benign commands via the web application or interface(e.g. whoami, hostname, ifconfig).
  - Uploading a file that outputs the result of a hard-coded benign command.
• Prohibited Actions:
  - Uploading files that allow arbitrary commands (i.e. a webshell).
  - Modifying any files or data, including permissions.
  - Deleting any files or data.
  - Interrupting normal operations (e.g. triggering a reboot).
  - Creating and maintaining a persistent connection to the server.
  - Intentionally viewing any files or data beyond what is needed to prove thevulnerability.
  - Failing to disclose any actions taken or applicable required information.

Known Issues

Please note that these known issues will not be accepted:

• Cross-Site Request Forgery (CSRF) findings reported after 5th July, 2023 on all PageFly products.
• Insecure Direct Object Reference (IDOR)/ Privilege Escalation/ Improper Access Control findings reported after 26th January, 2024 on all PageFly Seller Products.

We are working on a fix for the above issues and seek your kind patience.

Response Time

PageFly understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to PageFly and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. PageFly will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process: