Bug Bounty Program
Powtoon takes the security of its application seriously and is always looking for ways to improve the security. As part of Powtoon's commitment to security, we encourage responsible reporting of any vulnerabilities that may be found in our site or application and the techniques used to exploit them.
We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers. We invite security researchers to investigate vulnerabilities in our site or applications, so long as your findings follow this responsible research and disclosure policy.
House Rules
Please review these terms before you test and/or report a vulnerability:
-
Report any vulnerability you’ve discovered promptly through the official channels.
-
Avoid privacy violations, denial of service, destroying data or any harmful acts that may negatively affect Powtoon or its users (e.g. Spam, Brute Force, Denial of Service, etc).
-
Be the first person to report the vulnerability.
-
Refrain from disclosing the vulnerability until we've addressed it.
-
If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept and cease testing.
-
Describe the technical severity of the finding. The Vulnerability Rating Taxonomy is the baseline guide used for classifying technical severity. The Common Vulnerability Scoring System Version 3.1 Calculator provides a scoring guidance
-
Do not engage in extortion.
How to report a potential security vulnerability
Share details of the suspected vulnerability with Powtoon by sending an email to field-security@powtoon.com.
Rewards
As part of encouraging security researchers to put our security to the test, rewards will be given to findings that meet the following criteria:
-
The reported vulnerability is verifiable
-
It hasn't been reported already
-
The finding has a material impact to our environment
-
The quality of finding suggests reasonable research time was committed to the effort of finding the vulnerability
-
You've conducted your activities in a manner consistent with our guidelines
Powtoon has a discretionary bug bounty program based on the type and criticality of the vulnerabilities found. Qualifying bugs will be rewarded based on severity as determined by Powtoon at its sole discretion only if you are the first person to disclose an unknown issue as specified in the table below:
Severity |
Amount |
High |
Up to $500 |
Medium |
Up to $250 |
Low |
Up to $100 |
Exclusions
Below is a partial list of vulnerabilities that do not qualify for the Bounty Program as we have determined that they don’t pose a great risk in the context of Powtoon. However, if you think we’re mistaken, please reach out.
-
CSRF on forms that are available to anonymous users
-
Disclosure of known public files or directories (e.g. robots.txt)
-
Domain Name System Security Extensions (DNSSEC) configuration suggestions
-
Banner disclosure on common/public services
-
HTTP/HTTPS/SSL/TLS/CSP security header configuration suggestions
-
Missing security headers which do not lead directly to a vulnerability.
-
Lack of Secure/HTTPOnly flags on non-sensitive cookies
-
Logout CSRF
-
Phishing or Social Engineering Techniques
-
Presence of application or web browser 'autocomplete' or 'save password' functionality
-
Sender Policy Framework (SPF) configuration suggestions
-
Vulnerabilities in third party components in use at Powtoon
-
Bugs that require unlikely user interaction or phishing such as clickjacking or UI redress attack.
The following individuals are not eligible to claim a reward:
-
Full-time or part-time employees of Powtoon, as well as their friends and family; and
-
Contractors, consultants, representatives, suppliers, vendors, or any other persons related to or otherwise affiliated with Powtoon.