Blog Homepage/ Symbaloo Bug Bounty
Symbaloo Bug Bounty
At Symbaloo, we understand that the protection of consumer data is a high priority and extremely significant responsibility that requires constant monitoring. We deeply value all those in the security community that help us in ensuring 100% security of all our systems at all times.
We believe that responsible disclosure of security vulnerabilities help us in maintaining the utmost security & privacy of all our users, and we invite security researchers to report any security vulnerability that they may come across in our products. Those submitting any bugs within the scope of our program, will be heartily rewarded for their support & security expertise.
If you come accross a bug, you can email us at: firstname.lastname@example.org
How it works
- Reach out to us at email@example.com to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy.
- The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days.
- Post validation, steps will be taken to fix the security issues in accordance with our security policies.
- The owner of the ticket will be informed once the issue is resolved.
To be eligible for a reward, the following requirements must be met by you:
- You must be the first person to report a vulnerability to Symbaloo.
- The issue must impact any one of the applications listed under our defined scope.
- The issue must fall under the ‘Qualifying’ bugs listed.
- Publishing of vulnerability information in the public domain is not allowed.
- Any information about the vulnerability issue must be kept confidential until the issue is resolved.
- No privacy policies set by Symbaloo must be violated when performing security testing.
- Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.
Violation of any of these rules can result in ineligibility or removal from the Symbaloo bug bounty program.
- Use only the identified channel firstname.lastname@example.org to report any security vulnerability.
- While raising the ticket, ensure that the description and potential impact of the vulnerability is clearly mentioned.
- Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
- A complete Video POC should mandatorily be attached showing all the steps and information.
- Details about the scope and qualification criteria are mentioned below.
- Website: www.symbaloo.com
- Out-of-Scope websites: Staging subdomains, any other subdomain which is not connected to symbaloo.com
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-Side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
- Exposed Administrative Panels that don't require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD) and Remote File Inclusion (RFI)
- Payments Manipulation
- Server-side code execution bugs
- Open-Redirects: 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing OAuth tokens, we do still want to hear about them.
- Reports that state that software is out of date/vulnerable without a 'Proof of Concept'
- XSS issues that affect only outdated browsers
- Stack traces that disclose information
- Clickjacking and issues only exploitable through clickjacking
- CSV injection.
- Best practices concerns
- Highly speculative reports about theoretical damage. Be concrete
- Self-XSS that can not be used to exploit other users
- Actions that can not be used to exploit other users
- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
- Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated
- Denial of Service Attacks
- Brute Force Attacks
- Reflected File Download (RFD)
- Physical or social engineering attempts (this includes phishing attacks against Symbaloo employees)
- Content injection issues
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- Missing autocomplete attributes
- Missing cookie flags on non-security-sensitive cookies
- Issues that require physical access to a victim's computer
- Missing security headers that do not present an immediate security vulnerability.
- Fraud Issues
- Recommendations about security enhancement
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Banner grabbing issues (figuring out what web server we use, etc.)
- Open ports without an accompanying POC demonstrating vulnerability
- Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
The final decision on bug eligibility and rewarding will be made by Symbaloo. The program exists completely at the firm’s discretion and has the provision to be canceled at any time.
Email us at:
Write to us at:
Symbaloo HQ Netherlands
2611 GG Delft
Symbaloo United States
PO Box 6798
Incline village, NV 89450
This bug policy was most recently updated on January 10th 2023.