Our mission with SplashID Safe is keeping customer information confidential — your information needs to be kept your own, secure and private. Over the past decade, we have worked with our community of users and with security researchers to improve SplashID Safe's security. We recognize security is an ongoing process, and we need to constantly evolve to meet new threats. We appreciate all security concerns reported to us, and we value feedback. If you feel you have found a potential security issue with SplashID Safe, please let us know. When reporting potential issues, please be as thorough as you can in providing enough detail so that we can recreate your finding. We will respond as soon as we can. Once you have submitted a security concern, we may follow up with you to get additional information. Once we have validated a concern and implemented a fix, we will thank you for your assistance and also recognize you if you would like.
This program only awards points for submissions.
Before you begin, please read and understand the Standard Disclosure Terms.
In scope for this bounty
Out of scope
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Program Specific Rules:
You may create a test account with the following limits: two regular accounts and one SplashID Safe for Teams account with no more than three users
Test record creation is limited to a maximum of 50 records
No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner)
Scripted / API tests must be rate limited to 1 request per second
Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
No DOS/DDOS tests
Vulnerabilities which will NOT be rewarded:
Clickjacking and issues only exploitable through clickjacking.
Descriptive error messages (e.g. Stack Traces, application or server errors).
Full Path and known public files or directories disclosure
CSRF on forms that are available to anonymous users (e.g. the contact form).
CSRF on logout functionality
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure and HTTPOnly cookie flags.
SSL weaknesses (e.g. Insecure ciphers / older protocols)
Missing account lockout enforcement
Bugs specific to unsupported browsers/plugins
Bugs that rely on impractical user action
This bounty requires explicit permission to disclose the results of a submission.