SSL Security

Responsible Disclosure

Our customers trust us to keep their data secure and confidential. We take security seriously and work constantly to ensure that trust is well-founded. Have something to report? Please reach out to us at security@teamretro.com

Responsible disclosure

We encourage everyone that practices responsible disclosure and complies with our policies and terms of service to participate in our vulnerability disclosure program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. We may, at our sole discretion, offer recognition for high-quality, impactful reports that demonstrate a genuine security risk.

You can report vulnerabilities by contacting security@teamretro.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage:

  • secure.teamretro.com

Exclusions:

  • *.eu.teamretro.com
  • ww1.teamretro.com
  • ww2.teamretro.com
  • ww3.teamretro.com
  • www.teamretro.com
  • at.teamretro.com
  • help.teamretro.com
  • feedback.teamretro.com
  • mail.teamretro.com
  • status.teamretro.com
  • track.teamretro.com
  • games.teamretro.com
  • icebreaker.teamretro.com
  • ideas.teamretro.com
  • planning-poker.teamretro.com
  • www-assets.teamretro.com

Accepted vulnerabilities are the following:

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

This vulnerability disclosure program does NOT include:

  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user’s machine
  • Missing security headers which do not lead directly to a vulnerability
  • Missing best practices (we require evidence of a security vulnerability)
  • Reports generated by automated scanners without demonstrated impact
  • Missing security headers without a demonstrated exploit
  • SSL/TLS configuration issues without a demonstrated exploit
  • Missing rate limiting
  • Self-XSS (requires victim to paste code into their own console)
  • Login/logout CSRF
  • Vulnerabilities requiring outdated or unsupported browsers
  • Duplicate reports or previously known issues

Submission requirements

All reports must include the following or they will not be reviewed:

  • Affected URL or endpoint
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, video, or code)
  • Description of the security impact

Automated scanning is not permitted without prior written approval. All testing must be performed manually and all vulnerability disclosure program details must remain confidential.

Our thanks go to the following security researchers:

  • Abin Joseph
  • daniel_v
  • Ananda Dhakal
  • Luiz Viana
  • Aman Gupta
  • Vipul Sahu
  • Hsu Myat Noe
  • Tomasz Bartoszewski
  • Harry Gertos
  • Sathwik Veeramaneni
  • Yassine Nafiai
  • SIDN SOC
  • Burhan Chhotaudepur
  • Faizan Nehal
  • Aaditya Kumar Sharma
  • Syed Ahsan Raza
  • Mohammed Eldawody
  • Yaniv Shoshani
  • Lucas Werkmeister
  • Ankit Rathva