HoneyBook’s Responsible Vulnerability Disclosure Program


1. Introduction
HoneyBook is committed to protecting our community and has established a security program for security researchers to report security-related issues associated with our website to us. If you believe you have found a vulnerability or issue and would like to participate in our program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept.

Once you submit a report to us, please allow our team a reasonable amount of time to respond to your report and correct the issue. We truly appreciate your efforts to protect our community, and we may reward participants for helping us out.

All reports are subject to the terms and conditions of our program, as set forth below, and to the Terms of Service available on the website.

For each report submitted to us, we strive to:

* Be as transparent as possible, answering all inquiries about our report decisions.
* Triage any report within ten business days of the report being submitted to us.
* Award bounties within a week of triage (excluding extenuating circumstances).
* Only close reports as N/A when the issue reported is included in Known issues, Ineligible vulnerability types or lacks evidence
of a vulnerability.

Kindly be aware that we do not provide rewards for multiple reports of the same core issue. Only the initial reporter will be eligible for a reward, and subsequent reports will be regarded as 'duplicates' of the first report that was submitted to us.

If you require further clarification regarding the rules or the scope of our bug bounty program, please do not hesitate to reach out to us at [email protected].

2. Accounts
We encourage security researchers to register for a bug bounty account with an email address that contains the phrase 'bugbounty' (e.g., [email protected], [email protected]). This will assist us in correctly identifying, replicating, and validating your discoveries.

Any eligible report that utilizes this email format during testing will receive an additional reward: $20 for critical severity findings, $10 for medium and high severity findings, and an extra $5 for low severity findings that are deemed rewardable. (Note that if no reward was initially granted, no additional reward will be provided.)

3. In-Scope Vulnerabilities
The scope of the bug bounty program is limited to the domains listed below on the In-Scope Domain part for this program. Valid vulnerabilities on any domain not explicitly listed in scope may be accepted but are ineligible for a reward unless impact on in scope domains can be demonstrated.

4. In-Scope Domains
api.honeybook.com
api2.honeybook.com
www.honeybook.com

5. Denial of Service
We encourage you to report any Denial of Service (DoS) issues you find. However, we only accept DoS issues that are exploitable by a single user with a single request.
We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues. Also, please note that a slow request does not constitute an availability impact for our program - if a particular request takes a long time to process, but eventually completes successfully and doesn't cause the service to become unavailable or crash, the availability of the system is not considered to be impacted.

If you think you have found a DoS issue, please include the following information in your report:
* The URL of the page that is vulnerable to DoS
* The X-Request-ID of the HTTP response that causes the DoS
* The HTTP request that causes the DoS
* The HTTP response that is returned by the server after the DoS has been triggered
* The time it takes for the DoS to be triggered.

6. Known issues
The following issues or behaviors are by design or otherwise known to HoneyBook. Submitting a report that falls into this category will result in the report being rejected.

Our members are allowed to host various file types that can be accessed publicly later. We do not consider this a vulnerability.

XSS - At Honeybook we allow members to use HTML in their documents and other fields. We do not consider this a vulnerability.

The following XSS (Cross-Site Scripting) types are explicitly out of scope for this program:
* XSS - Set Header - Any issue that requires full control of an HTTP header, such as Referer, Host, etc.
* XSS - Inspect Element/Console - Any issue that requires the use of the browser's developer tools to execute javascript.
* XSS - Self-XSS - Any issue without a reasonable attack scenario. In general, we accept these reports when there are a
maximum of two steps required. For example, pasting a malicious payload into a template and then clicking to preview it would
be two steps.

7. Mobile
There are a number of commonly reported false positives in the HoneyBook mobile applications that are not considered vulnerabilities.

The following vulnerability types will be rejected:
* Physical access to the device. Any issue in a mobile application that can only be exploited on a rooted or jailbroken device, or   that depends on debug access being enabled.
* Vulnerabilities that depend on a vulnerability in the operating system.
* Mobile application biometrics bypass
* Lack of mobile binary protection or SSL pinning
* Lack of mobile application encryption
* Issues that can only be exploited on an emulated device
* API keys to services that the application publicly uses.

8. Potential Ineligible vulnerability types
HoneyBook does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be rejected:
* CSRF for Login/Logout/Public forms (unless it is chained together with another vulnerability to demonstrate impact)
* Race Conditions - If you've encountered a race condition, please ensure that it is exploitable and would gain an attacker access   to sensitive information.
* Rate limiting / Brute force - If you've encountered an endpoint that is not rate limited, please ensure that the given endpoint is   handling sensitive information. If it is, please provide a proof of concept that demonstrates the ability to brute force the   endpoint within the range of 100-500 requests.
* Spam / Flooding - Email flooding, SMS flooding, or any other type of flooding.

9. Subdomain Takeovers
Reports related to dangling domain records will be evaluated on a case-by-case basis for bounty taking into account several factors, including:
* The likelihood of a record to be successfully taken over (i.e. can the specific IP that the record points to be readily requisitioned   from an owner).
* The likelihood that traffic would be sent to the specific fully-qualified domain name (FQDN) as part of normal operations.
* The purpose of the domain if it can be inferred from the record (i.e. test app).
* Theoretical subdomain takeovers with no supporting evidence will not be eligible for a reward.

Most of these reports will result in P5 and therefore will be ineligible for a bounty. If you believe you have found a dangling domain record that is likely to be taken over and is likely to receive traffic, please include methodology and evidence in your report.

10. Ineligible vulnerability types
The following vulnerability types are explicitly out of scope for this program and will be rejected immediately:

* Social Engineering - Any issue that requires social engineering to be exploited, such as phishing, or impersonation of a   HoneyBook employee. This includes contacting the HoneyBook Support.
* Email Rate Limiting or Spamming.
* Vulnerability Scanner False Positives - Any issue that is reported by a vulnerability scanner, but is not exploitable by a human.
* Enabled GraphQL introspection query - We highly recommend researchers to utilize it as a valuable resource.
* Missing HTTP security headers (HSTS, CSP, etc.).
* Lack of HTTP Only / SECURE flag for cookies.
* CORS issues without a PoC and a real impact (i.e. we will not accept reports that regards unauthenticated resources).
* CDN - Sensitive data disclosure -   All files on the Content Delivery Network (honeybook.com) are public by design.
* Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
* No Captcha / Weak CaptchaTab nabbing.
* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself. Please ONLY submit findings related   to this if you identify specific vulnerabilities.
* HTTP 404 codes/pages or other HTTP non-200 codes/pages.
* Clickjacking on pages with no sensitive actions.
* Password, email, and account policies, such as email address verification, password complexity.
* Issues with the SPF, DKIM or DMARC records on honeybook.com or other honeybook domains (sometimes reported as email   spoofing).
* MTA-STS/ TLS-RPT records.
* DNSSEC Findings.
* Missing CAA Record
* Content spoofing.
* Lack of sub/resource integrity check without a PoC and a real impact.
* Disclosure of server or software version numbers.
* Disclosure of API keys in api.honeybook.com/api/gon - Please ONLY submit findings related to this if you identify specific
 vulnerabilities with a PoC that shows a real usage that can impact our users.
* Vulnerabilities on 3rd party libraries and solutions being used by HoneyBook.
* Generic examples of Host header attacks without evidence of the ability to target a remote victim.
* Perceived permission issues without impact on the integrity or confidentiality of data.
* Service Rate Limiting
* Lack of input field length validation
* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers.
* Reports of broken links or unclaimed social media accounts (unless chained with an impactful exploit).
* Lack of domain verification when adding a custom domain.
* Username enumeration on sign-in & sign-up
* Man-in-the-Middle attacks
* SSL Issues, e.g. SSL Attacks such as BEAST, BREACH, Renegotiation attack, SSL Forward secrecy not enabled
* SSL weak / insecure cipher suites

11. Rules for participation
The following rules must be followed in order to participate in the HoneyBook bug bounty program and for any rewards to be paid:
* This program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea,   Sudan and Syria) on sanctions lists.
* You may only test against accounts you have created which include your registered email address.
* You must not attempt to gain access to, or interact with, any accounts other than those created by you.
* The use of commercial scanners is prohibited (e.g., Nessus).
* Rules for reporting must be followed.
* Do not disclose any issues publicly before they have been resolved.
* HoneyBook reserves the right to modify the rules for this program or deem any submissions invalid at any time. HoneyBook   may cancel the bug bounty program without notice at any time.
* Contacting HoneyBook Support by any means in relation to this bounty program (pre-validating reports, testing against support,   asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program   altogether.
* You are not, nor have you been, a HoneyBook employee or an immediate family member of a HoneyBook employee, within the   last 12 months.
* You hereby represent, warrant and covenant that any content you submit to HoneyBook is an original work of authorship and   that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and   covenant that the consent of no other person or entity is or will be necessary for HoneyBook to use the submitted content.
* By submitting content to HoneyBook, you irrevocably waive all moral rights which you may have in the content.
* All content submitted by you to HoneyBook under this program is licensed under the MIT License.
* You must report any discovered vulnerability to HoneyBook as soon as you have validated the vulnerability.
* A minimum of 90 days from the date of submission should elapse before sharing any information with external entities for each
 report submitted to us.
* Using multiple email account for sending reports is prohibited. Use only one email account to communicate with us.
* Copying reports from other platforms and entities (humans, tools, etc.) is discouraged. If you do, you must also add the source
 in the report.
* The use of a single email address per bug bounty researcher is permitted.
* Multiple email addresses used by a researcher will result in termination of their participation in the program.
* Requests for changing an email address must be communicated to HoneyBook via [email protected].
* Once changed, the new email address will be the only one used for communication.
* Email changes are limited to once per year and are subject to approval at HoneyBook's discretion.
Failure to follow any of the foregoing rules will disqualify you from participating in this program or get any reward.

12. Bug Submission Requirements
*
Reports should be submitted to [email protected]
* When a report is submitted from a new email address, the initial response from HoneyBook will request completion of a W8 -
 form to facilitate potential reward payments.
* This step is mandatory before any review or triaging of reports from new email addresses.
* Payments, if applicable, will be made to the entity specified in the W8 form.
* Information provided in the form will not be altered unless there are typographical errors.

13.
Required information
For all submissions, please include:
Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
Videos, Screenshots, Exploit code, Traffic logs, Web/API requests and responses, Email address or user ID of any test accounts, IP address used during testing.

For RCE submissions, see below.

Failure to include any of the above items may delay or jeopardize the Bounty Payment.

14. Remote Code Execution (RCE) Submission Guidelines:
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.
Source IP address, Timestamp, including time zone, Full server request and responses
Filenames of any uploaded files, which must include “bugbounty” and the timestamp, Callback IP and port, if applicable
Any data that was accessed, either deliberately or inadvertently.

Allowed Actions:
* Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
* Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:
* Uploading files that allow arbitrary commands (i.e. a webshell)
* Modifying any files or data, including permissions
* Deleting any files or dataInterrupting normal operations (e.g. triggering a reboot)
* Creating and maintaining a persistent connection to the server
* Intentionally viewing any files or data beyond what is needed to prove the vulnerability
* Failing to disclose any actions taken or applicable required information

15. Compliance with Laws; Miscellaneous
Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.
Upon HoneyBook’s request, you will execute, acknowledge and deliver such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.

16. Termination
In the event (i) you breach any of these Program Terms or the terms and conditions of the HoneyBook Agreements; or (ii) HoneyBook determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact HoneyBook (including, but not limited to, presenting any threat to HoneyBook’s systems, security, finances and/or reputation) HoneyBook’s may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.
HoneyBook reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. 

17. Rewards
Below is the HoneyBook Vulnerability Rating Taxonomy for prioritization of findings. HoneyBook reserves the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk and business impact to HoneyBook. Appropriate payouts will then be awarded accordingly. Any downgraded submission will come with a detailed explanation.In most cases, we will only triage and reward vulnerabilities greater than P5. Some P4 will not be eligible for a bounty or extra reward. Please see the "Ineligible vulnerability types" section.

18. Payments

Informational -  P5 -  $0    
Low -                 P4 -  $0 - $25
Medium -          P3 -  $75 - $400
High -                P2 - $500 - $750    
Critical -            P1 -  $1000 - $1250
            
          
*The payments described above do not include the extra reward as mentioned in the Accounts section.
Please note that HoneyBook utilizes Payem for payments. A Payem transfer can be done after filling a W8 form.
The W8 form can be downloaded here.
Regrettably, we are unable to transfer funds to bank accounts or employ any alternative methods of transfer.
You are responsible for any tax implications resulting from any payouts depending on your country of residency and citizenship.