We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Smartsheet. Every day new security issues and attack vectors are created. Smartsheet strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Priority | APP / API | Non Application Targets
P1 | $1250 - $2500 | $600 - $1000
P2 | $750 - $1500 | $350 - $750
P3 | $200 - $850 | $150 - $500
P4 | $100 - $250 | $50 - $200
P5 | $0 | $0
Target name | Type
<https://app.smartsheet.com/> | Other
<https://api.smartsheet.com/1.1> | Other
<https://api.smartsheet.com/2.0> | Other
Create a trial account at https://app.smartsheet.com/b/signup
Signup for a Developer account through https://www.smartsheet.com/developers/register
As a condition of participation in this program, you hereby grant Smartsheet, its affiliates, and customers a perpetual, irrevocable, worldwide, royalty- free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Smartsheet in connection therewith, for any purpose.
You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Smartsheet and any other party. You are also responsible for any applicable taxes associated with any reward you receive.
Do not access customer or employee personal information, pre-release Smartsheet content, or Smartsheet confidential information. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited. In the event that you access data that is not your own, please stop testing and submit the vulnerability, even if the finding is incomplete.
We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.
This bounty requires explicit permission to disclose the results of a submission.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.