Bug Bounty Program

We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. The Productboard Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

  1. Out-of-scope Vulnerabilities

    We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scanners

    These vulnerabilities are out-of-scope and not subject to any reward:

    • Denial of service or Distributed Denial of service attacks
    • Presence/absence/misconfiguration of SPF/DKIM/DMARC records or any email misconfiguration in general
    • Lack of CSRF tokens
    • Clickjacking issues
    • Missing security headers which do not lead directly to a vulnerability
    • Missing best practices (we require exploitable evidence of a security vulnerability)
    • Reports from automated tools or scans
    • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
    • Absence of rate limiting
    • Outdated software without any noteworthy vulnerability
    • Permission issues within a single business space

    Responsible Disclosure Policy

    While we welcome ethical and responsible identification and investigation of potential vulnerabilities, we ask that all security researchers stick to the following principles:

    • Do not engage in testing that:
      • Degrades Productboard’s information systems and products.
      • Results in you, or any third party, accessing, modifying, storing, sharing or destroying Productboard’s customer data.
      • Includes Denial of Service or brute-force attack mechanisms
      • Involves social engineering techniques
      • Directly addresses Productboard customers or end users.
      • Includes usage of automated tools and scanners.
    • When your investigation requires authorized access (e.g. you suspect potential privilege escalation or multi-tenancy issue), create a dedicated trial account for that purpose. Never attempt to bypass our security measures under a commercial account.
    • Do not exploit identified or known vulnerabilities on our infrastructure further than necessary to reasonably determine its presence. The Bounty Program is about improving security for Productboard users, not deliberately trying to put the community at risk.
    • In case you encounter customer data or other information that is not your own, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access such data may demonstrate a lack of good faith.

     

    Submission Process

    Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.

    All communications between you and Productboard should go through vuln-disc -at- productboard.com.

    Please only submit one report per issue.

    When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Productboard’s prior written approval.

    Reward

    You may be eligible to receive a reward if:

    • (i) you are the first person to submit a given vulnerability;
    • (ii) that vulnerability is determined to be a valid security issue by the Productboard Security Team
    • (iii) you have complied with the Productboard’s Bug Bounty program policy and guidelines.

    The decision to grant a reward for the discovery of a valid security issue is at Productboard’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your report, ease of exploit and overall risk for Productboard’s users and brand.

    Legal Safe Harbor

    Any activities conducted in a good faith and in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.



    For more information, visit https://www.productboard.com/product/security/