We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. The Productboard Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.
We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scanners
These vulnerabilities are out-of-scope and not subject to any reward:
While we welcome ethical and responsible identification and investigation of potential vulnerabilities, we ask that all security researchers stick to the following principles:
Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.
All communications between you and Productboard should go through vuln-disc -at- productboard.com.
Please only submit one report per issue.
When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Productboard’s prior written approval.
You may be eligible to receive a reward if:
The decision to grant a reward for the discovery of a valid security issue is at Productboard’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your report, ease of exploit and overall risk for Productboard’s users and brand.
Any activities conducted in a good faith and in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
For more information, visit https://www.productboard.com/product/security/