TL;DR - Your insight and discoveries = our deep <3, and now $.

We're a small team born and bred on open source, so we look to the security community's lead for exploit patterns, best practices, top vulns, new research—everything. We've learned much and keep adapting. Thank you.

We push for the best in web security and it's your research that makes the big strides and reveals blind spots. We invite you to pursue and demonstrate your work here. We'll pair closely with you, respond to your findings speedily & thoroughly, and publicly share our appreciation.

Bounties range from USD $100 to $10,000 and scale according to impact and ingenuity, from an unlikely low-sensitivity XSS to a deep, novel RCE. One per bug; first discovery claims it; ties break toward the best report.

Our focus is on

• Strong auth (sign-in, sessions, OAuth, account recovery)

• Access control (bypasses, faults, CSRF, etc)

• Injection prevention (SQL, XSS, method args, etc)

• For HEY only: potential privacy leaks, such as bypasses of our spy pixel blocking features or any other leak enabled by any of the HEY features.

Concatenating bugs to increase the attack scenario is encouraged.

This is out of scope for all our apps

• Hyperlink injection on emails

• Rate limiting

• Best practices concerns (we require evidence of a security vulnerability)

• Sessions not being invalidated when 2FA is enabled

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Race conditions that don't compromise the security of any user or Basecamp

• Reports about theoretical damage without a real risk

• The output of automated scanners without explanation

• CSRF with no security implications (like Login/logout/unauthenticated CSRF)

• Broken links

• Missing cookie flags on non-security sensitive cookies

• Attacks requiring physical access to a user's device

• Missing security headers not related to a security vulnerability

• Reports of insecure SSL/TLS ciphers unless you have a working proof of concept

• Banner grabbing issues to figure out the stack we use or software version disclosure

• Open ports without a vulnerability

• Password and account recovery policies, such as reset link expiration or password complexity

• Disclosure of known public files or directories, (e.g. robots.txt)

• Reports of spam

• Username/email address enumeration

• Presence of autocomplete attribute on web forms

• DNSSEC and DANE

• HSTS or CSP headers

• Host header injection unless you can show how a third-party can exploit it

• Reflected File Download (RFD)

• EXIF information not stripped from uploaded images

• Existing sessions not being invalidated when 2FA is enabled

• DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error

• DoS vulnerabilities based on unlimited password length (hint: the password length is not unlimited)

• Using product features like invitation/signup/forgot-password to deliver messages to any email address

• Unrestricted file upload without a clear attack scenario or PoC

These apply to all our in-scope assets. See each app below for more specific out-of-scope reports.

Disqualifiers

• Attempting access to other customers' accounts.

• Denial of service: disrupting other customers' access to their own accounts.

• Social engineering of any kind against other customers or Basecamp staff, including spearphishing attempts or contacting our support team.

• Overwhelming our support team with messages. Don't fuzz Contact Support forms.

• Physical intrusion.

• Automated scanning, mail bombing, spam, brute-forcing or automated attacks with programs like Burp Intruder.

• Leaking, manipulating, or destroying any user data.

Guidelines

• All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.

• Practice responsible disclosure. That's a responsibility to users, not us. We strive to live up to the other end of this by resolving bugs in a timely manner.

• If you sign up for a HEY or Basecamp account for vulnerability testing, please include "HackerOne" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.

HEY

In scope

• HEY websites and native apps

• Web: https://*.hey.com

• Email: hey.com and custom domains hosted with HEY

• Your own HEY accounts only

Out of scope

• Enabling 2FA without verifying email address to prevent someone from signing up.

• stats.hey.com, stats.world.hey.com and stats.hey.science.

Basecamp websites and native apps.

In scope

• Web: https://3.basecamp.com and https://basecamp.com.

• API: As described by https://github.com/basecamp/bc3-api and https://github.com/basecamp/api.

• Authentication: https://launchpad.37signals.com.

• Your own Basecamp accounts only.

Out of scope

• Email spoofing, including SPF/DKIM/DMARC policies, for Basecamp. Email spoofing is in scope for HEY.

• Vulns that require untrusted users on the same account: uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.

• Enabling 2FA without verifying email addresses to prevent someone from signing up.

• Password not required to update the existing password or email address, switch to/from Google Sign In, or enable 2FA.

Open source

In scope

• Trix: our rich-text editor. Used in HEY and Basecamp 3.

• Stimulus: our client-side JavaScript framework. Used in HEY and Basecamp 3.

• Other first-party open-source projects under the Basecamp org on GitHub.

Out of scope

• Editable wiki pages in GitHub in open source projects

• "Leak" of test and fixture data that appears to be personal identifiable information but it's just test data

Questions?

This works because we work together.

Contact us with any questions: security@basecamp.com