9575 policies in database
Link to program      
2020-10-13
Basecamp logo
Thank
Gift
HOF
Reward

Reward

Basecamp

TL;DR - Your insight and discoveries = our deep <3, and now $.

We're a small team born and bred on open source, so we look to the security community's lead for exploit patterns, best practices, top vulns, new research—everything. We've learned much and keep adapting. Thank you.

We push for the best in web security and it's your research that makes the big strides and reveals blind spots. We invite you to pursue and demonstrate your work here. We'll pair closely with you, respond to your findings speedily & thoroughly, and publicly share our appreciation.

Bounties range from USD $100 to $10,000 and scale according to impact and ingenuity, from an unlikely low-sensitivity XSS to a deep, novel RCE. One per bug; first discovery claims it; ties break toward the best report.

Our focus is on strong auth (sign-in, sessions, OAuth, account recovery), access control (bypasses, faults, CSRF, etc), and injection prevention (SQL, XSS, method args, etc).

Your focus is completely up to you.

In scope

Out of scope

  • Login and logout CSRF.
  • Rate limiting.
  • Email spoofing, including SPF/DKIM/DMARC policies, for Basecamp. Email spoofing is in scope for HEY.
  • DNSSEC and DANE.
  • Using product features like invitation/signup/forgot-password to deliver messages to any email address.
  • Vulns that require untrusted users on the same account: uploading malware, embedding phishing URLs in comments, RTLO based attacks in URLs, IDN homograph attacks, etc.
  • Unsupported browsers, rogue extensions, platform vulns.
  • Reflected File Download (RFD).

Disqualifiers

  • Attempting access to other customers' accounts.
  • Denial of service: disrupting other customers' access to their own accounts.
  • Social engineering of any kind against other customers or Basecamp staff, including spearphishing attempts or contacting our support team.
  • Overwhelming our support team with messages. Don't fuzz Contact Support forms.
  • Physical intrusion.
  • Automated scanning and brute-forcing.

Guidelines

  • If you sign up for a HEY or Basecamp account for vulnerability testing, please include "HackerOne" somewhere in your email address. (For example, you could use Gmail’s task-specific email addresses feature.) This helps us filter your account out of business metrics such as conversion rate.

Questions?

In Scope

Scope Type Scope Name
android_application

com.basecamp.hey

android_application

https://play.google.com/store/apps/details?id=com.basecamp.hey

application

basecamp3.exe

application

https://basecamp.com/via#basecamp-for-your-mac-or-pc

application

Basecamp.app

application

HEY.app

application

https://hey.com/apps/

application

https://snapcraft.io/hey-mail/

ios_application

https://basecamp.com/via#basecamp-for-ios-and-android-devices

ios_application

com.hey.app.ios

ios_application

https://apps.apple.com/us/app/hey-email/id1506603805

mobile_applications

https://www.microsoft.com/en-us/p/hey-mail/9pf08ljw7gw2

mobile_applications

HEY for Windows: https://www.microsoft.com/en-us/p/hey-mail/9pf08ljw7gw2

web_application

3.basecamp.com

web_application

launchpad.37signals.com

web_application

*.hey.com

Out of Scope

Scope Type Scope Name
web_application

*.basecamphq.com

web_application

basecamp.com

web_application

*.highrisehq.com


This program crawled on the 2020-10-13 is sorted as bounty.

FireBounty © 2015-2020

Legal notices