Responsible Disclosure
Our customers trust us to keep their data secure and confidential. We take security seriously and work constantly to ensure that trust is well-founded. Have something to report? Please reach out to us at security@teamretro.com
Responsible disclosure
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported, and are distributed via PayPal.
You can report vulnerabilities by contacting security@teamretro.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.
Coverage
- *.teamretro.com
Specifically:- secure.teamretro.com
Exclusions
- www.teamretro.com
- feedback.teamretro.com
- help.teamretro.com
- mail.teamretro.com
- status.teamretro.com
- track.teamretro.com
- *.eu.teamretro.com
Accepted vulnerabilities are the following
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This bug bounty program does NOT include
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Phishing
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user’s machine
- Missing security headers which do not lead directly to a vulnerability
- Missing best practices (we require evidence of a security vulnerability)
Automated scanning must be limited to 1 request per second (1rps) without prior agreement, and all bug bounty details must remain confidential.