Symbaloo Bug Bounty

At Symbaloo, we understand that the protection of consumer data is a high priority and extremely significant responsibility that requires constant monitoring. We deeply value all those in the security community that help us in ensuring 100% security of all our systems at all times.

We believe that responsible disclosure of security vulnerabilities help us in maintaining the utmost security & privacy of all our users, and we invite security researchers to report any security vulnerability that they may come across in our products. Those submitting any bugs within the scope of our program, will be heartily rewarded for their support & security expertise.

If you come accross a bug, you can email us at: security@symbaloo.com

How it works

1. Reach out to us at security@symbaloo.com to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy.
2. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days.
3. Post validation, steps will be taken to fix the security issues in accordance with our security policies.
4. The owner of the ticket will be informed once the issue is resolved.

Eligibility

To be eligible for a reward, the following requirements must be met by you:

1. You must be the first person to report a vulnerability to Symbaloo.
2. The issue must impact any one of the applications listed under our defined scope.
3. The issue must fall under the ‘Qualifying’ bugs listed.
4. Publishing of vulnerability information in the public domain is not allowed.
5. Any information about the vulnerability issue must be kept confidential until the issue is resolved.
6. No privacy policies set by Symbaloo must be violated when performing security testing.
7. Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.

Violation of any of these rules can result in ineligibility or removal from the Symbaloo bug bounty program.

Guidelines

1. Use only the identified channel security@symbaloo.com to report any security vulnerability.
2. While raising the ticket, ensure that the description and potential impact of the vulnerability is clearly mentioned.
3. Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
4. A complete Video POC should mandatorily be attached showing all the steps and information.
5. Details about the scope and qualification criteria are mentioned below.

Scope

1. Website: www.symbaloo.com
2. Out-of-Scope websites: Staging subdomains, any other subdomain which is not connected to symbaloo.com

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

1. Cross-site Scripting (XSS)
2. Cross-Site Request Forgery (CSRF)
3. Server-Side Request Forgery (SSRF)
4. SQL Injection
5. Server-Side Remote Code Execution (RCE)
6. XML External Entity Attacks (XXE)
7. Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
8. Exposed Administrative Panels that don't require login credentials
9. Directory Traversal Issues
10. Local File Disclosure (LFD) and Remote File Inclusion (RFI)
11. Payments Manipulation
12. Server-side code execution bugs

Non-Qualifying Vulnerabilities

1. Open-Redirects: 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing OAuth tokens, we do still want to hear about them.
2. Reports that state that software is out of date/vulnerable without a 'Proof of Concept'
3. XSS issues that affect only outdated browsers
4. Stack traces that disclose information
5. Clickjacking and issues only exploitable through clickjacking
6. CSV injection. 
7. Best practices concerns
8. Highly speculative reports about theoretical damage. Be concrete
9. Self-XSS that can not be used to exploit other users
10. Actions that can not be used to exploit other users
11. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
12. Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated
13. Denial of Service Attacks
14. Brute Force Attacks
15. Reflected File Download (RFD)
16. Physical or social engineering attempts (this includes phishing attacks against Symbaloo employees)
17. Content injection issues
18. Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
19. Missing autocomplete attributes
20. Missing cookie flags on non-security-sensitive cookies
21. Issues that require physical access to a victim's computer
22. Missing security headers that do not present an immediate security vulnerability.
23. Fraud Issues
24. Recommendations about security enhancement
25. SSL/TLS scan reports (this means output from sites such as SSL Labs)
26. Banner grabbing issues (figuring out what web server we use, etc.)
27. Open ports without an accompanying POC demonstrating vulnerability
28. Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.

Reward

Bug Bounty rewards will be paid in the form of popular gift cards via a service called Tremendous. The value of the gift card will depend upon the severity and quality of the bug as below:

Note

The final decision on bug eligibility and rewarding will be made by Symbaloo. The program exists completely at the firm’s discretion and has the provision to be canceled at any time.

Contact Symbaloo

Symbaloo takes all concerns about privacy and data usage very seriously. If you have any questions or concerns about the Symbaloo Privacy Policy, please contact us at one of the addresses listed below, and we will do our best to provide a prompt response to your question or concern.